Using an identity-based communication layer for computing device communication

ABSTRACT

A computer architecture for enterprise device applications provides a real-time, bi-directional communication layer for device communication. An identity-based communications layer provides for secure, end-to-end telemetry and control communications by enabling mutual authentication and encryption between the devices and the enterprise. The identity-based communications layer is situated between a network layer and an application layer and transmits a message between two devices identified by a global address. The global address specifies a protocol, a network, and an address meaningful for the combination of the protocol and the network.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority from U.S. Provisional Application No.60/398,722, titled “Computer System” and filed Jul. 29, 2002, and fromU.S. Provisional Application No. 60/421,803, titled “Computer System”and filed Oct. 29, 2002, both of which are incorporated by reference intheir entirety.

TECHNICAL FIELD

This description relates to computer systems.

BACKGROUND

Advances in computing and networking technologies are creating new wavesof network-aware sensors, instruments, products and devices. Thesedevices generally transmit status information and operating data,receive commands over a network, and may be referred to as telemetricdevices. By some estimates, there may be 10,000 of these telemetricdevices for every human being on the planet by the year 2010.Enterprises are attempting to leverage the use of these devices bydeploying device computing applications to more efficiently measure,monitor, maintain and control processes and equipment. In some cases, ageographically distributed enterprise may use a device computingapplication to increase the enterprise's reach beyond the traditionalnetworks of the enterprise. This may result in market growth and costsavings for the enterprise.

SUMMARY

In one general aspect, a first endpoint connected to a network uses aglobal address of a second endpoint connected to the network tocommunicate with the second endpoint. The global address specifies aprotocol, a network identifier, and an address meaningful for thecombination of the protocol and a network identified by the networkidentifier. An application sends messages directed to the secondendpoint through an identity-based communication layer that is situatedbetween a network layer and an application layer. The messages areindependent of the protocol. The identity-based communication layertransmits the messages to the second endpoint using the protocol, thenetwork, and the address specified by the global address.

Implementations may include one or more of the following features. Forexample, the global address of the second endpoint may be determined byusing a unique identity identifier associated with the second endpoint.The global address may be different each time a session is initiatedwith the second endpoint. The identity identifier may specify a realmand a unique identifier that identifies the second endpoint within therealm. The combination of the realm and the unique identifier mayuniquely identify the identity.

The identity identifier may be an identity identifier for a compositeidentity that is associated with two or more other identity identifiers.The composite identity may be associated with an authenticationcredential. The composite identity may be created only when each of thetwo or more other identity identifiers associated with the compositeidentity have been authenticated. At least one of the two or more otheridentity identifiers may be an identity identifier for another compositeidentity. The determination of the global address may be accomplishedthrough the use of a presence and availability service that provides theglobal address in response to a received identity identifier.

The second endpoint may announce the global address of the secondendpoint through the use of the presence and availability service. Adetermination may be made as to whether the second endpoint is permittedto announce the global address. The second endpoint may announce theglobal address through the use of the presence and availability serviceonly when the second endpoint is permitted to announce the globaladdress. The determination as to whether the second endpoint ispermitted to announce the global address may be based on the identityidentifier of the second endpoint. The determination as to whether thesecond endpoint is permitted to announce the global address may beperformed by a policy service. The global address provided by thepresence and availability service in response to an identity identifiermay be the global address most recently announced by the endpointassociated with that identity identifier. The determination of theglobal address of the second endpoint may occur during an authenticationprocedure involving the first endpoint, the second endpoint and a thirdentity.

The determination may be made as to whether a communication sessionbetween the second endpoint and a first endpoint is permitted. Theauthentication procedure may be completed only when the communicationsession is permitted. The determination may be based on the identityidentifier of at least one of the second endpoint and the firstendpoint. The determination as to whether the communication session ispermitted may be performed by a policy service.

The messages exchanged in the communication session between the firstendpoint and the second endpoint may be encrypted. A policy service maydetermine whether to encrypt messages exchanged in the communicationsession between the first endpoint and the second endpoint. Thedetermination as to whether to encrypt messages may occur when the firstendpoint initiates a communication session with the second endpoint ormay be based on the identity identifier of at least one of the firstendpoint and the second endpoint. The determination as to whether toencrypt messages may occur during an authentication procedure involvingthe first endpoint, the second endpoint, and a third entity.

An integrity check may be applied to a message exchanged in thecommunication session between the first endpoint and the secondendpoint. The integrity check nay employ a message authentication code.A policy service may determine whether to apply integrity checks tomessages exchanged in the communication session between the firstendpoint and the second endpoint.

The determination as to whether to apply data integrity checks may occurwhen the first endpoint initiates a communication session with thesecond endpoint, may be based on the identity identifier of at least oneof the first endpoint and the second endpoint, or may occur during anauthentication procedure involving the first endpoint, the secondendpoint, and a third entity.

The first endpoint may be connected to a first network. The secondendpoint may be connected to a second network. A relay may be used toconnect the first network and the second network.

The protocol may be a message-framing protocol using the transmissioncontrol protocol. The address meaningful for the combination of theprotocol and the network identified by the network identifier may be anInternet Protocol address and a transmission control protocol portnumber. The address meaningful for the combination of the protocol andthe network identified by the network identifier may be an InternetProtocol domain name and a transmission control protocol port number.The protocol may be the Hypertext Transfer Protocol. The addressmeaningful for the combination of the protocol and the networkidentified by the network identifier may be a uniform resource locator.

The identity identifier of the second endpoint may be associated withmore than one global address. The global address may be selected fromthe more than one global address associated with the identity identifierof the second endpoint to use for communicating between the firstendpoint and the second endpoint.

In another general aspect, two endpoints connected to a network maycommunicate. An application of a first endpoint provides to aglobal-address-based communication layer a message destined for a secondendpoint and a global address of the second endpoint. The global addressspecifies a protocol, a network identifier, and an address meaningfulfor the combination of the protocol and a network identified by thenetwork identifier. The global-address-based communication layer selectsan appropriate networking layer. The global-address-based communicationlayer provides to the selected networking layer the message destined forthe second endpoint and the address meaningful for the combination ofthe protocol and network identified by the network identifier. Theselected networking layer sends the message to the second endpoint.

Implementations may include one or more of the features noted above andone or more of the following features. For example, the selectednetworking layer may transmit the message using the protocol specifiedby the global address of the second endpoint.

The application may provide to an identity-based communication layer amessage destined for the second endpoint and an identity identifierassociated with the second endpoint. The identity-based communicationlayer may use a presence and availability service to determine theglobal address of the second endpoint using the identity identifierassociated with the second endpoint. The identity-based communicationlayer may provide to the global-address-based communications layer themessage destined for the second endpoint and the global address of thesecond endpoint.

The presence and availability service may be used to determine theglobal address of the second endpoint. The global address may be sent tothe presence and availability service the identity identifier associatedwith the second endpoint. The global address associated with the secondendpoint may be received from the presence and availability service.

A networking layer of the second endpoint may receive the message andprovide the message to a global-address-based communication layer of thesecond endpoint. The global-address-based communication layer of thesecond endpoint may provide the message to an application layer of thesecond endpoint.

The message may be provided to the application layer of the secondendpoint by having the global-address-based communication layer of thesecond endpoint provide the message to an identity-based communicationlayer of the second endpoint. The identity-based communication layer ofthe second endpoint may provide the message to the application layer ofthe second endpoint.

Implementations of the techniques discussed above may include a methodor process, a system or apparatus, or computer software on acomputer-accessible medium. The details of one or more of theimplementations are set forth in the accompanying drawings anddescription below. Other features will be apparent from the descriptionand drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram of a computer system that implements anenterprise device application.

FIG. 2 is a block diagram of the computer system of FIG. 1 divided intounderlying networks.

FIG. 3 is a block diagram illustrating a system architecture forproviding an inter-communication layer for device information flows.

FIG. 4 is a block diagram depicting communications between an initiatingidentity and an accepting identity using an intermediary to translate anidentity into a physical address.

FIG. 5 is a block diagram showing a data structure used for a physicaladdress.

FIG. 6 is a block diagram illustrating a three-layer implementation ofidentity-based communication layer software.

FIG. 7 is a block diagram depicting a data structure used for anidentity.

FIG. 8 is a block diagram showing an imprinting process, a registrationprocess, and a session establishment process.

FIG. 9 is a block diagram illustrating communications between anendpoint identity, an authentication service, a policy service, and apresence and availability service to register the endpoint identity.

FIGS. 10A and 10B are block diagrams depicting establishing acommunications session by using a challenge and response protocolinvolving a session initiator, an authentication service, a sessionacceptor, a presence and availability service, and a policy service.

FIG. 11 is a block diagram showing a data structure used for ashort-term authentication credential that is used by an identity toestablish a communications session with another identity.

FIG. 12 is a block diagram illustrating a data structure for a sessioncredential that is used by an identity to establish a communicationssession with another identity.

FIG. 13 is a block diagram depicting an architecture for sendingtelemetry data from a data producer to one or more data receivers.

FIG. 14 is a block diagram illustrating a data structure for a telemetrydata element.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

In one particular implementation, a system architecture is provided tosupport the deployment of network devices, which may range from simpletemperature or vibration sensors to more complex servers ormanufacturing test equipment. The architecture supports real-timetelemetry and control information about the devices to enable a newclass of applications, which may be referred to as device computingapplications or device applications. Options provided by suchapplications may include providing new levels of responsiveness forpreventative maintenance of devices before emergencies arise, offeringnew services such as advanced support programs and pay-per-use billingmodels to customers by continuously monitoring devices and the methodsand frequencies by which the devices are used, reducing costs throughunattended remote control and maintenance of devices, and automatingbusiness transactions by integrating devices directly with back-endenterprise software suites to eliminate error-prone manual andpaper-based processes.

Through the deployment of device applications, enterprises may accessvaluable information that provides unique, real-time visibility into allaspects of enterprise operations. Enterprises may use this informationto provide better service with better quality support and quicker, ifnot immediate, responses to device issues that arise. Furthermore,business process efficiencies may be realized through the deployment ofdevices.

The system architecture provides a single, consistent platform that maybe used across all enterprise device application projects. Thearchitecture provides a real-time, bi-directional communication layerfor all device communication needs, as well as a comprehensive platformupon which robust device applications may be quickly and efficientlydeveloped and deployed.

The system architecture provides a platform for fully secure, end-to-endtelemetry and control communications, by enabling mutual authenticationand encryption between the device and the enterprise. Using anIdentity-based Communications Layer (ICL), the system architectureassigns a unique identity to every device, user and application, andprovides a full suite of security services including authentication,access control, encryption and data integrity.

The ICL operates above the network communication layer to enable securedevice-to-enterprise communication over any network type. Networks suchas paging networks, satellite networks, cellular networks, andproprietary data networks (e.g., a wireless protocol from a device to abase station) are supported.

The system architecture provides for remote, centralized management andpolicy control of all devices on the network. The system architecture isalso highly scalable.

The system architecture provides a single and consistent infrastructurethat allows the same platform to be used for all of an enterprise'sdevice applications. Common processing modules also may be shared amongthese applications to significantly reduce both development anddeployment costs. The enterprise benefits from incorporating varioustelemetry and control information from different sources. The systemarchitecture promotes interoperability between projects by easilycombining and distributing this data to any authorized person ordepartment within the enterprise. Furthermore, application managementand policy control (e.g., for security settings) may be centrally andconsistently administered for all applications.

The system architecture provides a device computing enterprise platformand an identity-based communication layer (ICL) that may be used torapidly develop device applications for all types of devices.

The device computing platform manages real-time data flows associatedwith devices. Typically, incoming device data needs to be refined orinspected, such as by using check-sums, computational transformations,filtering, parsing, database writing or re-formatting of the data.Device applications may use common methods to process the device datainto useful information. For example, simple checks may be incorporatedto ensure that the incoming data represents reliable data and fallsbetween expected ranges; alerts and notifications may be triggered atdifferent points along the processing chain if the data is revealed toviolate some pre-defined policies; different data streams may becorrelated to ensure that the specific data from one device is matchedup against the corresponding data from another device; transactions maybe initiated based upon various preset rules and incoming data flows;and, at various points along the flow of device data, at least someportion of the information may be stored in a database. The systemarchitecture leverages these similarities and presents an environmentupon which the developer can assemble and configure existing informationflow processing modules to accomplish developer needs.

The system architecture provides developers with a platform for simplyconfiguring pre-defined flow processors that may accomplish asubstantial portion of the device application development requirements.The time required for developing these applications may be reduceddramatically when compared with conventional approaches. The systemarchitecture provides a robust architecture to ensure seamless, securecommunications across any network, regardless of type or dispersion. Aflow processor also may be reused in a different device application,which may result in further reductions of the time required to develop adevice application.

Special processing of the information flows might be required to carryout application-specific processing with the incoming data. In thesecases, the system architecture provides a template that the developermay use to create an information flow processor and incorporate theinformation flow processor into the device application.

The device computing platform may allow for efficient development ofdevice applications and may limit the range of skills required by adeveloper. Furthermore, the applications that are developed can leveragethe device computing platform to provide security, scalability, networkindependence, and an efficient installation.

The core of the computing device platform upon which the deviceapplications run (i.e., the application run-time environment) uses theICL to enable the secure, bi-directional communications among devices,and between devices and the enterprise. The ICL may extend to thedevice. A unique identity may be permanently assigned to every entitywithin the communications flow, including the device, the user, and theapplication. The identity may enhance the scalability, security andnetwork independence of a device application.

The ICL helps to ensure that devices and users are authenticated andauthorized, and that communication messages are encrypted to maintaintheir integrity. The ICL operates above the networking protocol layer toallow communications to occur over any type of data network.Furthermore, the applications using the ICL are unaffected by changes inrouting processes or IP addresses (e.g., during a system upgrade orotherwise).

An application developed on the device computing platform communicateswith devices on the network through the ICL. Additional applications maybe developed to further process the device information in a secure andscalable fashion.

The ICL provides a mediated peer-to-peer model that supportscommunications between two entities. According to the model, a firstentity A invokes core services (e.g., authentication services) of theICL to communicate with a second entity B. Entities A and B are named byidentities that are independent of underlying network hardware andsoftware, and that are automatically translated into network addresses.In particular, each of entities A and B may have one or more associatedglobal addresses that include a network identifier, a protocolidentifier, and a network address meaningful to the identified network.

Applications in which the system architecture may be employed include,for example, use by product manufacturers (e.g., manufacturers ofcomputers, network equipment, vehicles or other machines, buildingcontrols, medical devices, machine tools, appliances, and electricalinfrastructure such as generators) to monitor product performance.Networks that may be employed in such applications include dial-upnetworks, the Internet, wireless networks, and customer networks thatmay or may not be isolated by firewalls. Particular services that may beprovided by such applications may include remote health monitoring,remote service, condition-based maintenance, pay per use monitoring,value-added services, and supply replenishment.

Another application of the system architecture is with respect to highlydistributed operations within one company. Example devices that may beencompassed by such an application include a sensor, a personal digitalassistant (PDA), a mobile telephone, a controller, network-enabledequipment, a truck, a global positioning satellite (GPS) receiver, a barcode or radio frequency identification (RFID) scanner, a cash register,and a customer kiosk. Networks that may be encountered include, forexample, the Internet, wireless networks (e.g., paging, cellular orsatellite), Internet plus dial-up, Internet plus a digital subscriberline (DSL), and Internet plus a local area network (LAN). Servicesprovided by a highly distributed application include logistics, assettracking, asset optimization, supply chain management, inventorymanagement, business intelligence, and real-time business transactions.

Referring to FIG. 1, a computer system 100 controls communicationsbetween an enterprise application 105 and devices 110, 115, 120 and 125.The enterprise application 105 is located on an enterprise side 130 ofthe computer system, while the devices 110, 115, 120 and 125 are locatedon a device side 135 of the computer system. A firewall 140 isolates theenterprise side 130 from the device side 135.

In the illustrated implementation, the enterprise application 105reaches the firewall 140 through a first private LAN 145, a router 150,and a second private LAN 155. The devices 110 and 115 reach the firewall140 through a message-based paging network 160 that is connected througha carrier gateway 165 to the public Internet 170, which is connected tothe firewall 140. The device 120 is connected to the Internet 170through an Internet-enabled wireless network 175 and a carrier gateway180, while the device 125 is connected directly to the Internet 170.

The computer system employs a system architecture that facilitatesconnections between business information technology infrastructure(i.e., the enterprise application 105) and devices of all kinds. Devicesmay include, for example, objects and equipment that are involved in theoperation of a business, such as appliances, electronic equipment,factory machines, gas pumps, office equipment, thermostats, wirelessphones, vehicles, or any other object that includes electroniccomponents. The linking of devices on a wide-spread scale to theinformation technology infrastructure of a business may create newopportunities for cost saving, revenue opportunity, and/or customersatisfaction.

For example, in one implementation, the retail sales division of a largeenergy company may be able to monitor gas pumps and tanks at fillingstations across the country. Fuel readings from the gas stations alsomay be correlated with readings from on-truck fuel level sensors andlocation tracking equipment. By gathering information in real time aboutwhich stations need fuel deliveries and identifying the closest truckwith sufficient fuel, transportation cost savings may be realized.

In another example, a worldwide package delivery company employs a greatdiversity of devices in its daily operations: drivers carry handheldpackage scanners, delivery trucks are equipped with GPS-based locationsensors, retail package drop-off centers have point-of-sale devices, andshipping rooms of catalog sales customers of the delivery company havespecialized devices that automate the shipping and tracking of thousandsof packages that each such customer ships daily. Managing all of thesedevices to provision new equipment, monitor sources of trouble, andinsure that consistent corporate security policies are met may beexceedingly difficult. Having a uniform underlying network architecturecan reduce the system administration burden by an order of magnitude,saving money while assuring that security goals are more reliably met.

In yet another example, a manufacturer of magnetic resonance imaging(MRI) equipment for medical diagnosis is able to monitor the operationof products installed at customer sites, as well as to remotelyadminister and control the products. By doing this, the manufacturer mayrealize substantial savings in the cost of customer service and may beable to provide a more rapid response to a customer's problem. Themanufacturer also may create new usage-based sales models in which acustomer pays a fee for each image produced by the MRI machine (e.g.,pay “by the image”) instead of purchasing the MRI machine from themanufacturer.

These examples illustrate both the variety of ways to connectenterprises to devices within the enterprise and the variety of businessopportunities that may underlie the need for the described systemarchitecture.

FIG. 2 illustrates that the system 100 of FIG. 1 may be divided into afirst underlying network 200 that includes a satellite paging network, asecond underlying network 205 that includes the public Internet, and athird underlying network 210 that includes private LANs. A relay 215connects the first underlying network 200 to the second underlyingnetwork 205, and a relay 220 connects the second underlying network 205to the third underlying network 210.

A relay, such as relay 215 or relay 220, is a special application thatruns within the system 100. A relay bridges communication betweendifferent protocols or across networks that are not inter-addressable. Arelay maintains routing information that indicates what adjacent relaysshould be used to reach an underlying network that is not directlyreachable.

Deployments that do not require protocol or network bridging do notrequire a relay. The relay is like an ICL core service in that an ICLendpoint library relies on the relay for proper operation. But unlikethe other ICL core services, the relay is not a required part of everydeployment, and the relay is not necessarily hosted on the enterpriseside, but rather at appropriate places according to physical networktopology.

The boundaries of underlying networks occur where there is a fundamentalbarrier to native interconnection. One example would be a device “lasthop” network that is based on a non-real-time messaging model, such as ashort message service over a paging network. When it is not feasible ordesirable to run IP on such a network, the “last hop” network cannot beseamlessly integrated into the public Internet. Instead, the “last hop”network would be a different underlying network from the publicInternet. Another example occurs when a firewall separates otherwisecompatible networks. For example, if an enterprise has a privateInternet that is connected to the public Internet through a firewall,but the firewall configuration does not expose devices on the privatenetwork to the public network, then the private network is a separateunderlying network.

Yet another example of a boundary between underlying networks occurswhen different protocols are to be employed by different endpoints, suchas, for example, when one endpoint wants to use hypertext transferprotocol (HTTP) but another wants to use the simple mail transferprotocol (SMTP). Though the endpoints are inter-addressable, they cannotcommunicate directly with each other.

In many applications, the public Internet as a whole is one of theunderlying networks involved. If a company has private LAN segments thatare connected to the public Internet in a way that permits freecommunication in both directions, then those LAN segments are part ofthe same underlying network as the public Internet. Likewise, if thereare mobile devices that use the cellular telephone network through acarrier that provides IP connectivity to the public Internet, then thecellular telephone network is also part of the same underlying network.

Small to medium-sized deployments may have one underlying network thatincludes the public Internet and possibly some private Internet segments(suitably exposed by firewalls) and devices that can be assigned publicIP addresses. No relays are required in that situation. On the otherhand, a large-scale deployment may have three or four underlyingnetworks, including, for example, the public Internet and devices thathave public IP addresses; the enterprise's private Internet, shieldedfrom the public Internet by firewalls, which may be physically composedfrom several disconnected private LANs that are bridged by virtualprivate network (VPN) technology through the public Internet butlogically separate from the public Internet; and one or more non-IP lasthop networks, such as a messaging-based paging network or acarrier-specific wireless network.

FIG. 3 illustrates a system architecture 300 that provides anidentity-based communication layer (ICL). The ICL system architectureassigns a unique identity to every device, user and application, andprovides security services, including authentication, access control,encryption and data integrity, to the identities within the system.

The ICL architecture 300 includes one or more ICL endpoint libraries305, ICL core services 310, ICL core databases 315, ICL administrativeapplications 320, and one or more ICL relay nodes 325. The ICL endpointlibraries 305 are software libraries that may be deployed on devices andenterprise servers to provide an ICL application programming interface(API) to applications, such as applications 350 and 355. The ICLendpoint library 305 also may be used within an ICL relay node 325, andto host the ICL core services 310 and ICL administrative applications.320. An endpoint is associated with a persistent identity, which, inturn, is associated with a network address. Examples of endpointsinclude a device, an enterprise server, and a user using a device.

The ICL endpoint libraries 305 provide the functionality needed by oneendpoint to interact with another endpoint through the ICL. Eachendpoint library includes the ICL API called by the application clientcode, service clients for ICL core services that are used within the ICLto carry out API operations, and plug-in points for network modules andsecurity modules. An application may link directly with the ICL endpointlibrary. More commonly, an application may be written based on or usingone or more information flow processors that are linked with the ICLendpoint library 305.

In some implementations, an ICL endpoint library may be developed for aparticular computing environment. For example, a device-side endpointlibrary may be developed for an endpoint operating WinCE by MicrosoftCorporation, another endpoint library may be developed for an endpointoperating an enterprise-side, single Java virtual machine (JVM) by SunMicrosystems, Inc., and yet another endpoint library may be developedfor an endpoint that is an enterprise-side server operating Java 2Platform Enterprise Edition (J2EE), by Sun Microsystems, Inc. Thedevice-side libraries may provide fewer capabilities, particularly inthe areas of dynamic management and scalability, than an enterprise-sidelibrary due to the reduced system capabilities of a device relative tothe system capabilities of a server.

The ICL core services 310 are a set of autonomous software processesthat interact with the rest of the system through communication channelsto manage and mediate access to the ICL core databases 315. The ICL coreservices 310 include an authentication service 380, a presence andavailability service 385, an identity service 390, and a policy service395.

The authentication service 380 is responsible for verifying thecredentials of identities and thereby providing authentication ofendpoints as the endpoints register onto the system and as theyestablish communication sessions with other endpoints. Theauthentication service is also responsible for issuing new credentialsand maintaining the information required to verify the credentialsduring authentication.

The presence and availability service 385 is responsible for maintainingthe information that associates endpoint identities with the underlyingnetwork addresses that are used to establish communication sessions. Thepresence and availability service 385 also may maintain otheravailability information that endpoint identities may wish to advertiseto other endpoint identities in the system.

The identity service 390 is responsible for managing the identities ofdevices and applications. Identities are authenticable, persistent namesassociated with endpoints that are independent of the physical addressesby which endpoints are connected to their underlying networks. Thecommunications APIs exposed by the ICL operate in terms of identities,not addresses, which shields applications from changes in underlyingnetwork topology, issues of mobility, and the various addressing schemesemployed by different underlying networks. The identity service also maymaintain persistent information about identities in the form ofattributes. In some implementations, the identity service 390 mayprovide version support and historical archiving. The identity service390 also provides support for a composite identity, which is used torepresent temporal associations between different kinds of identities(e.g., a specific user logged into a specific device).

The policy service 395 is responsible for maintaining policy rules andmaking policy decisions that arise in the operation of the ICL and theapplications. ICL-specific policy decisions include authorization ofendpoint registration, authorization of communication sessionestablishment, security settings and network selection for communicationsession establishment, and authorization of identity creation.Applications may also use the policy service for application-specificpurposes.

The ICL endpoint libraries 305 rely on the ICL core services 310 tocarry out most of the functions of the API. Most activities carried outby the ICL administrative applications 320 also interact with ICL coreservices 310. Every complete installation of the ICL deploys ICL coreservices 310 in some location. Typically, ICL core services 310 aredeployed on centralized servers within the enterprise.

The ICL core databases 315 maintain information about the current stateof the system, persistent information configured through administrativeactivity, and historical archives of the other data. The ICL coredatabases provide a basis for centralized control and management. Thecentralized control and management is advantageous when a deviceapplication is used for a large and/or a widely-dispersed group ofdevices.

The ICL core databases 315 include an authentication database 330, apresence and availability database 335, an identity database 340, and apolicy database 345. The presence and availability database 335 also maybe referred to as a presence and availability management (PAM) database335. The ICL core databases 315 correspond to ICL core services 310. Insome implementations, other data management techniques may be used inwhich a core service does not necessarily correspond to a core database.

The authentication database 330 stores information that allows identitycredentials to be verified. The PAM database 335 stores informationabout the current presence and availability status of ICL endpointidentities. The PAM database 335 also maintains the association betweenidentities and underlying network addresses. The identity database 340stores descriptive information about identities in the system, includingan unchanging identifier that is unique both across all identitieswithin the enterprise and across all enterprises. The identity database340 also stores an identifier that is unique within a hierarchicalnamespace for the enterprise and is changeable. The identity database340 also stores attributes associated with the identity. The policydatabase 345 stores rules that govern policy decisions that control mostICL activity and application activity.

In some instances, a historical archive is kept that records theevolution of one or more of the ICL core databases 315 over time. Thismay be used by applications that preserve application data in order tocorrelate old data with the administrative state of the system at thetime of data collection.

The ICL administrative applications 320 are one or more softwareapplications that permit administrators to interact with ICL coreservices 310 to control the behavior of all devices and applicationsthat use ICL.

The ICL relay nodes 325 bridge underlying networks 370 and 375. The ICLrelay nodes 325 are autonomous software processes deployed on serverswithin the interior of the network to bridge between differentunderlying networks and protocols. The deployment of relay nodes,including the number and location of deployed relay nodes, is a functionof network topology and customer networking requirements. In manyinstances, a customer will have a single underlying network such thatICL relay nodes are not required.

Applications 350 and 355 and administrator 360 are outside the ICLsystem but interact with the ICL system. An application, such asapplication 350 and application 355, is software that interacts with theICL but is not provided by the ICL itself. Applications include softwarecreated by end-users and software not identified as part of the ICL.Applications primarily interact with each other by communicating throughthe API exposed by the ICL endpoint library. These interactions aremediated by the ICL core services, which in turn rely on data maintainedin the ICL core databases.

An administrator 360 is a human responsible for operating or maintainingthe ICL within the context of an enterprise's business operations.Administrators primarily interact with the ICL administrativeapplications to manipulate the state maintained in the ICL coredatabases. Because these databases ultimately mediate applicationinteractions, administrators have ultimate control over all applicationinteractions.

Activity within the ICL may include application-initiated activities andadministrator-initiated activities. Application-initiated activities arethose activities which are initiated by an application to use the ICLAPI to perform application functions. Examples include registrationactivity, ICL session activity, composite identity activity, and renewaland revocation activity. Most application-initiated activities may occurwithout intervention by a human administrator.

In registration activity, an identity held by a device or an enterpriseapplication is announced to the system, and the system permits theholder (e.g., the device or the enterprise application) to initiate oraccept ICL communication sessions. The announcement establishes theassociation between the identity and the underlying network addresswithin the presence and availability management database. Policies fromthe policy database control whether a registration is permitted. Theregistering of an identity's credential is verified using information inthe authentication database.

In ICL session activity, the holder of an identity establishes acommunication channel to another identity and exchanges data using thecommunication channel. The authentication service, using information inthe authentication database, provides bi-directional authentication toboth parties. The presence and availability management database isconsulted to translate the remote identity into its correspondingunderlying network address. The identity database may be consulted tolook up and translate identity names. Policies from the policy databasecontrol the authorization of whether the session is permitted and theparameters that determine the level of security to be employed duringdata exchange.

In composite identity activity, the holder of a physical identitycreates a new identity by combining the physical identity with one ormore virtual identities for which the holder can provide verification ofcredentials. A composite identity might arise, for example, if a userlogs into a device and a composite identity representing that user aslogged into that device is created.

In renewal and revocation activities, for each of theapplication-initiated activities above, artifacts that have limitedlifetime (e.g., a registration that is valid only for a period of time)or which change (e.g., if a mobile device changes its underlying networkaddress) are renewed, and artifacts created by prior activity areexplicitly destroyed.

Administrator-initiated activities take place primarily through the ICLadministrative applications, under the control of a human administrator(or perhaps a script created by an administrator). These activitieslargely entail interacting with ICL core services to modify and reporton the contents of the databases maintained by the ICL core services.Administrator-initiated activities include identity management, policymanagement, and system monitoring.

Identity management involves creating, modifying, and deletingidentities for devices, users, and applications, organizing identitiesto reflect business decisions and processes, tracking and reporting onexisting identities, establishing and revoking authenticationcredentials for identities, and imprinting new device identities intodevices.

Policy management involves creating, modifying, and deleting policyrules that control the behavior of the ICL (which in turn governs howdevices and applications interact).

System monitoring involves tracking and reporting on the current statusof devices and communications within the system.

The ICL layer of the architecture addresses networking and communicationrequirements that are common to most enterprise device applications. TheICL operates by enhancing underlying network APIs to provide ahigher-level API to applications. In particular, the ICL addsfunctionality in the areas of identity, security, management/policy, andnetwork and protocol bridging.

As to identity, the ICL manages identities of devices and applications.Identities are authenticable, persistent names associated with endpointsthat are independent of the physical addresses by which endpoints areconnected to their underlying networks. The communications APIs exposedby the ICL operate in terms of identities, not addresses, which shieldsapplications from changes in underlying network topology, issues ofmobility, and the various addressing schemes employed by differentunderlying networks. The identity service also maintains more persistentinformation about identities in the form of attributes, with fullversioning and historical archives. The identity system includes a verypowerful notion of composite identity that is used to represent temporalassociations between different kinds of identity (e.g., a specific userlogged into a specific device).

As to security, the ICL provides end-to-end security services forcommunications. When communication between two endpoints is established,a bi-directional authentication verifies each endpoint's identity to theother. Communication is also encrypted for privacy and signed forintegrity. Authorization of and security settings for communications arecontrolled through centrally administered policy.

As to management/policy, the ICL maintains policy rules that controlaspects of operation of the ICL. Policy rules also may control whetheridentities are authorized to register with the network, and whether oneidentity is authorized to initiate a communication session with a secondidentity. For example, policy rules may control when encryption shouldbe applied to communication and when communication should be routedthrough certain underlying networks. The policy mechanisms also mayprovide extension features that applications can use to manageapplication-specific policy. Management features include the ability tomonitor ICL-level activity and to remotely control all aspects ofnetwork operation. An important aspect of the management featuresinclude a presence and availability service that lets administrators seewhat devices are currently on the network and when the devices lastregistered.

As to network and protocol bridging, the ICL acts as a bridge betweendifferent underlying networks. The ICL shields applications fromdifferences in the protocols used to deliver messages on underlyingnetworks. The ICL handles message relaying and routing as messages crossfrom one underlying network to another, or from one protocol domain toanother.

The ICL layers these services on top of existing networks and protocols.In general, an application message exchange is preceded by an ICLmessage exchange between endpoints and core ICL services. The ICL alsoadds encryption and other information to each application messageexchanged. This general strategy can be applied to a wide variety ofmessaging semantic models and data exchange protocols.

A messaging semantic model is a general paradigm for data exchangebetween two communicating endpoints. Each model implies a certain styleof API and guarantees associated with that API. Examples of messagingsemantic models include reliable, real-time, framed messages; reliable,real-time, streams; and unreliable, non-real-time, framed messages.

With reliable, real-time, framed messages, an endpoint sends avariable-length message to its peer, which receives the message whole.The time required for the message to be received is small relative tothe overall time the two endpoints are engaged in conversation. Messagemodels of this kind are typically built as a layer above thetransmission control protocol (TCP).

With reliable, real-time, streams, an endpoint communicates with itspeer using a stream interface that can be considered as consisting ofmessages of length one byte. Raw TCP is a familiar example of this kindof messaging model.

With unreliable, non-real-time, framed messages, an endpoint sends avariable-length message to its peer, which receives the message whole.However, unlike the reliable, real-time model, neither delivery of themessage, the order of its arrival, nor that only one copy will arrive isguaranteed. The time required for the message to be received is long.E-mail is an example of this kind of messaging model.

Each messaging model can be exposed to applications through a specificAPI. There will be slight differences in the API depending on the modeladapted.

Within a given messaging model and associated API, there are manypossible wire protocols that can fulfill the contract of the API. Forexample, reliable, real-time framed messages can be carried using HTTP,secure HTTP (HTTPS), or an ad-hoc framing protocol written atop raw TCP.Different wire protocols may be desirable in order to comply withdifferent firewall policies, or for other reasons.

The ICL provides an application-level communication API that insulatesapplications from these choices. For any given messaging semantic model,there is a version of that model adapted to ICL and which preserves thebasic character of the messaging model, but which uses identities as thebasis for naming endpoints, includes security services, is centrallymanaged through policy, and can be carried atop multiple protocols andunderlying networks. In one implementation, ICL provides an API thatsupports the reliable, real-time framed message model, and a pluggablearchitecture in which different network modules carry this messagingover a variety of protocols (including HTTP, HTTPS, and raw TCP).

FIG. 4 illustrates a process 400 for communicating between an initiatingidentity 410 and an accepting identity 420, using an intermediary 425 totranslate an identity into a physical address. The initiating identityconsists of initiating application software 411, initiating ICL software412, and initiating networking software 413. The initiating networkingsoftware 413 may be native networking software that is provided by theoperating system or platform that hosts the initiating identity 410.Similarly, the accepting identity 420 consists of accepting applicationsoftware 421, accepting ICL software 422, and accepting networkingsoftware 423. The accepting networking software 423 may be nativenetworking software that is provided by the operating system or platformthat hosts the accepting identity 420.

The initiating application software 411 indicates a desire tocommunicate with the accepting application software 421 by calling theICL initiate method and passing to the ICL software 412 the identityidentifier for the accepting identity 420 (step 430 ia). The initiatingICL software 412 sends to the intermediary 425 a request that specifiesthe identity identifier for the accepting identity 420 (step 430 ii).The intermediary 425 receives the request (step 430 pa) and translatesthe identity identifier for the accepting identity 420 to the physicaladdress corresponding to the accepting identity 420 (step 435 pa). Theintermediary 425 may, for example, translate the identity identifier bylooking up the physical address that corresponds to a particularidentity identifier in a table or list. The intermediary 425 thenresponds to the initiating ICL software 412 by providing the physicaladdress of the accepting identity (step 440 pa). The initiating ICLsoftware 412 receives the physical address of the accepting identity(step 440 ii).

In general, the initiating ICL software 412 then invokes the initiatingnetworking software 413 to open a native connection to the physicaladdress obtained from the intermediary 425. More specifically, theinitiating ICL software 412 sends to the initiating network software 413a connection request (step 450 ii), and the initiating networkingsoftware 413 sends to the acceptor's native networking software 423 anative networking request for connection (step 450 in). The request isreceived by the accepting native networking software 423 (step 450 an)and passed up through the accepting ICL software 422 (step 450 ai) tothe accepting application software 421 (step 450 aa).

The accepting application software 421 determines whether to accept theincoming connection request (step 460 aa). When the incoming connectionis accepted, the accepting application software 421 calls the acceptmethod of the accepting ICL software 422 (step 470 aa). The acceptance,such as an acceptance indicator, is passed through the acceptor's ICLsoftware 422 to the acceptor's native networking software 423 (step 470ai), and is sent, in turn, to the initiator's native networking software413 (step 470 an), to the initiator's ICL software 412 (step 470 in),and to the initiator's application software 411 (step 470 ii). When theinitiator's application software 411 receives the return value of theoriginal ICL initiate method (step 470 ia), the establishment of an ICLsession between the initiating identity 410 and the accepting identity420 is complete. In this manner, the established ICL session wraps anative network connection between the physical address corresponding tothe initiating identity 5 and the physical address corresponding to theaccepting identity.

Once the ICL session has been established between the initiatingidentity 410 and the accepting identity 420, either identity'sapplication software may send a message to the other identity'sapplication software by using the ICL. When the initiating identity'sapplication software 411 sends a message to the accepting identity'sapplication software 421, the initiating application software 411 callsthe send method of the initiating ICL software 412 (step 480 ia), thesend method of the initiating ICL software 412 calls the send method ofthe initiating networking software 413 (step 480 ii), and the sendmethod of the initiating networking software 413 sends the message overthe network to the accepting networking software 423 (step 480 in). Theaccepting networking software 423 receives the message (step 480 an) andpasses the message to the accepting ICL software 422 (step 480 ai). Theaccepting ICL software 422 then passes the message to the acceptor'sapplication software 421 (step 480 aa).

When the accepting identity's application software 421 sends a messageto the initiating identity's application software 411, the processdescribed in steps 480 ia to 480 aa is reversed. That is, the acceptingapplication software 421 calls the send method of the accepting ICLsoftware 422, which, in turn, calls the send method of the acceptingnetworking software 423. The message is then passed from the acceptingICL software 422 to the accepting networking software 423 to theinitiating networking software 413 to the initiating ICL software 412 tothe initiating application software 411.

During communication between the initiating identity and the acceptingidentity, the ICL software 412 and 422 may perform additionalcomputation or checks on behalf of the application software. Forexample, if the accepting application software 421 sends a message tothe initiating application software 411, the accepting ICL software 422may encrypt the data, and the initiating ICL software 412 may decryptthe data. (For communication in the opposite direction, the roles ofencrypting and decrypting are reversed.) In this way, the data in themessage is protected from unauthorized access regardless of the level ofsecurity provided by the native networking software and the networkitself. The application software 411 and 421, however, is the sameregardless of whether encryption is employed.

In another example, the accepting ICL software 422 may append to thedata a cryptographic message authentication code (MAC), and theinitiating ICL software 412 may verify that the received MAC isconsistent with the data received. (The roles are reversed forcommunication in the opposite direction.) This may provide assurancethat the data has not been altered by an unauthorized third party whenthe data was carried over the native networking software and the networkitself. The functions of encrypting/decrypting and the use of MACs maybe used singly, or in combination.

When the ICL software 412 and 422 perform additional computation orchecks such as encryption/decryption or use of MACs, both the initiatingICL software 412 and the accepting ICL software 422 must agree on whatcomputation or checks are to be performed during a given communicationsession. A variety of implementations may be used for reaching thisagreement. In one implementation, the ICL software may be instructed bythe respective application software 411 and 421 of the computation orchecks to be performed, assuming that the application software 411 and421 have reached agreement by some other means. In anotherimplementation, the initiating ICL software 412 and the accepting ICLsoftware 422 may exchange messages to arrive at agreement prior to theexchange of application data as to what computation or checks are to beperformed. In yet another implementation, the initiating ICL software412 and the accepting ICL software 422 may consult a separate policyservice, such as the ICL's policy service 395 in FIG. 3, to make thisdetermination, based on the identity identifiers of the initiatingidentity 410 and the accepting identity 420. In yet anotherimplementation, the policy service may be consulted as part of anotherprocess, such as the session establishment process 870 of FIG. 8 or thesession establishment process 1000 of FIGS. 10A and 10B, both of whichare discussed below.

When the initiating ICL software 412 and the accepting ICL software 422agree to employ encryption/decryption or MACs, they also need to agreeon what specific cryptographic algorithms to use, and what cryptographickeys to use in conjunction with the cryptographic algorithms. Theselection of the particular cryptographic algorithms to use may bearrived at by any of the means described above for coming to agreementon whether to employ encryption/decryption or MACs at all. Examples ofspecific algorithms for encryption and decryption include DES, tripleDES, AES, and RSA. Examples of specific algorithms for creating messageauthentication codes include SHA1-HMAC and MD5-HMAC. The agreement as towhat keys to use may be achieved by a variety of means. In oneimplementation, a shared symmetric key may be arrived at through use ofthe Diffie-Hellman key agreement algorithm. In another implementation, ashared symmetric key may be delivered to the initiator and acceptor by athird party key distribution center. In this implementation, theinteraction with the key distribution center may be performedseparately, or it may take place as part of a larger process such as thesession establishment process 870 of FIG. 8 or the session establishmentprocess 1000 of FIGS. 10A and 10B.

The intermediary 425 may have many implementations. In oneimplementation, the intermediary 425 may be a file that specifies aphysical address for each of several identity identifiers. In anotherimplementation, the intermediary 425 may be a presence and availabilityservice, such as the ICL's presence and availability service 385 in FIG.3. In another implementation, the interaction between the initiator'sICL software 412 and the intermediary 425 (steps 430 ii, 430 pa, 435 pa,440 pa, and 440 ii) may take place as part of a larger process such asthe session establishment process 870 of FIG. 8 or the sessionestablishment process 1000 of FIGS. 10A and 10B.

Referring also to FIG. 5, the physical address returned to theinitiating ICL software 412 in step 440 pa may take any of many forms.FIG. 5 illustrates an example data structure 500 for a physical address.The data structure 500 includes a network identifier 510, a protocolidentifier 520, and a local address 530.

The network identifier 510 specifies a particular native network to beused to communicate with an identity. Examples of a particular nativenetwork include the global Internet, a private network operated by anenterprise, and a satellite paging network. When two endpoints haveglobal addresses whose network identifiers are equal, then the twoendpoints can communicate directly with each other using the nativenetworking software associated with that network. When two endpointshave global addresses whose network identifiers are not equal, then thetwo endpoints may need to communicate using a relay such as the relays215 and 220 in FIG. 2. The protocol identifier 520 specifies thecommunication protocol and message formatting scheme to be used formessages. Examples of a particular protocol include HTTP, HTTPS, and asimple message framing protocol built atop TCP.

The local address 530 specifies the information that the nativenetworking software needs to identify a communications peer. In general,the exact form of the local address 530 depends on the specific networkidentifier 510 and protocol identifier 520 being used. For example, whenthe network identifier 510 specifies the global Internet and theprotocol identifier 520 specifies a simple message framing protocolbuilt atop TCP, then the local address takes the form of an IP addressand TCP port number. In another example, when the network identifier 510specifies the global Internet and the protocol identifier 520 specifiesHTTP, then the local address takes the form of an HTTP Uniform ResourceLocator (URL).

Referring to FIG. 4, one implementation of the communication process 400employs a set of software layers, as illustrated in FIG. 6. FIG. 6 showsthe initiating ICL software 612 (corresponding to item 412 in FIG. 4)implemented using three software layers. The software layers are theidentity layer 614, the global address layer 615, and the local addresslayer 616. The identity layer 614 presents to the initiator'sapplication software 611 an interface in which both the initiator 610and the acceptor 620 are named by their respective identity identifiers.The identity layer 614 is responsible for translating an identityidentifier into a global address. When encryption/decryption or MACs areto be employed, the identity layer 614 also performs those functions.Similarly, when an authentication process, such as the sessionestablishment process 1000 of FIGS. 10A and 10B, is used, theauthentication process also is performed within the identity layer 614.

The global address layer 615 presents to the identity layer 614 aninterface in which both the initiator 610 and the acceptor 620 are namedby their respective global addresses. The global address layer 615interprets the global address to determine the particular network andthe particular protocol to be used. In the case where the acceptingglobal address's network identifier (such as item 510 in FIG. 5)specifies a network that is not directly available to the initiator, theglobal address layer 615 is responsible for determining an appropriaterelay to use to reach the acceptor's network.

The local address layer 616 presents to the global address layer 615 aninterface in which both the initiator 610 and the acceptor 620 are namedby their respective local addresses (such as item 530 in FIG. 5).Because a local address is meaningful only with respect to a particularnetwork and protocol, the local address layer 616 is bound to a specificchoice of network and protocol.

An implementation of the ICL software 612 may have available severalalternative implementations of the local address layer 616, with eachimplementation corresponding to a particular choice of network andprotocol. The global address layer 615 selects from among thesealternative implementations to determine a particular network and aparticular protocol to use. The local address layer 616 carries out theselected protocol, including encapsulating application data in networkmessages as dictated by the selected protocol, and interacting with theinitiating networking software 613. For example, a local address layerimplementation intended for a simple message framing protocol atop TCPmay prepend each message with a message length indication, and send theencapsulated message that includes the message length indication usingthe native network's implementation of TCP. In another example, a localaddress layer implementation intended for HTTP may insert the messageinto the body of a HTTP GET message, with headers and other informationincluded as dictated by the HTTP protocol specification.

The accepting ICL software 622 (such as item 422 in FIG. 4) may have aset of layers 624, 625, and 626 that correspond to the layers 614, 615,and 616, respectively, of the initiator's ICL software 612.

Security in communication networks is an umbrella term that refers toseveral different aspects of protecting sensitive data in thecommunication, including authentication, confidentiality, and integrity.Authentication means that the recipient of a communication can confirmthat the sender is who the sender purports to be, and vice versa.Authentication prevents an unauthorized third party from masquerading asa legitimate user, device, or enterprise application. Authentication isof particular importance in device applications, where devices are oftenin locations at which they are not subject to the physical securityenjoyed by computers located within the walls of an enterprise'sheadquarters.

Confidentiality refers to protecting communications from beingintercepted and understood by an unauthorized third party. The primarytool for insuring confidentiality is strong cryptography. The weak linkin any cryptography scheme is the management of the keys, so it isessential that the network architecture provide for secure key exchange.The authentication procedures play a pivotal role in key exchange.

Integrity means that an unauthorized third party is unable to intercepta communication and modify the communication before the communicationreaches the intended recipient. Integrity can be achieved through theuse of message authentication codes (MACs), digital signatures, orsimilar techniques. Like encryption, integrity assurance is based oncryptographic techniques for which key management is a central issue.

The underlying networks on which the ICL is implemented may notthemselves offer sufficient security. For example, an underlying networkthat uses raw TCP on the public Internet may provide inadequatesecurity. Therefore, the ICL employs techniques that may be used on topof a wide-variety of underlying networks. An underlying network may bereferred to as a native network.

As to identity, any communication in a network must identify the senderand receiver. In most networks, this is done by a physical address ofsome sort, such as, for example, an IP address or a telephone number. Anaddress of this kind has a structure that is specific to the particularnetwork being used, and usually reveals something about the topology ofthe network (e.g., if two U.S. phone numbers share the first six digits,the phone numbers are served from the same central office).

Physical addresses have serious weaknesses as the basis for enterprisedevice applications for a number of reasons. First, devices may bemobile and may have addresses that change as the devices cross from onenetwork boundary to another. Second, there may be more than one networkinvolved. For example, an energy company may have some gas stations inmetropolitan areas where DSL Internet service is available, others wherea cellular telephony network must be used, and very remote stationswhere a satellite paging network is the only one available. This meansthat otherwise similar devices will have physical addresses drawn fromdissimilar address spaces. Third, physical address spaces may haverestrictions unsuitable for large scale applications. For example, it isnot feasible for an enterprise to obtain one million public Internet IPaddresses to use for small ID tags scattered throughout the world.Private networks are routinely created to overcome such limitations, butsuch networks may be unable to reach devices from a different privatenetwork.

Because of these weaknesses, physical addresses may be inadequate as thebasis for identifying senders and receivers in enterprise-class deviceapplications. Instead, an identity-centric approach is employed. Everydevice, enterprise application, or other network service—anything thatcan act as an endpoint for communication—carries a unique identity. Thenamespace of identities is independent of all of the underlying physicaladdress spaces. A mobile device keeps the same identity, even if theaddress of the device changes. From the application's point of view,communications are directed to identities, not addresses. The networkarchitecture maintains the association between identities and addresses,and routes communication accordingly.

Identities are also the basis for achieving end-to-end authentication.Any participant in a communication can convince its partner of theauthenticity of its identity. Various attributes, such as softwareversion, owner, and so forth, may optionally be associated withidentities, which means that the attributes also can be authenticated.

Devices may have more than one identity. For example, a handheld scannerused by a package delivery company may have two identities: oneinstalled by the manufacturer and keyed to the manufacturer's serialnumber for the device, and the other created by the package deliverycompany according to the company's naming scheme and installed when thescanner was purchased and deployed within the enterprise. Differentidentities may have different permissions, and different levels of trustin their authentication. In the previous example, the manufacturer'sidentity might only permit interaction with a provisioning service thatestablishes the enterprise identity while only the enterprise identity,authenticatable through the enterprise's own certifying authority, wouldhave full rights to interact with the enterprise application.

Some identities are long-lived and created through administrativeactivity. These include persistent device identities, as well asidentities associated with users, applications, and other real-worldentities. Other identities arise transiently, through programmaticactivity. An example is an identity representing a particular userlogged into a particular device. The identity system has a rich languagefor defining these different kinds of identities.

As to manageability, the ability to remotely provision, monitor, andadminister devices is central to a successful deployment. While remoteadministration of computer systems is common today, the device worldintroduces new challenges in this area, including identity management,policy driving, and controllable communication.

As to identity management, devices have identities that must be managed.A device has an identity because the device has a long-term relationshipto the enterprise. In this sense, a device is unlike a web client, whichexists outside the enterprise and has no particular long-termrelationship to the enterprise. A device is much more like an internaluser of the corporate network. Just as enterprises must managedirectories of their internal users, enterprises also must maintaindirectories of device identities, along with their attributes,authentication credentials, and so forth.

As to policy driving, as membership in the network is highly dynamic,permissions and other elements of device configuration must be driven bypolicy, not by individual settings. In a very static network, it issufficient for an administrator to set configurations and permissions byselecting an existing entity or group of entities and changing theirsettings. But with new devices being discovered dynamically, thisprocess must be controlled through rule-based policies. An example ofsuch a rule-based policy is “all model 701 scanners in the easternregion should have permission to use the inventory service on machineXYZ.” Devices then receive their settings based on the rules that applyto them.

As to controllable communication, since there is often not a systemadministrator available at the location of a device itself, the networkmust provide enough visibility and control so that problems can bediagnosed and solved remotely. For example, if a determination is madethat devices are being subjected to a virus attack, control mechanismsmust be in place to support shutting down those devices remotely. In theevent the under-attack devices cannot be remotely shut down, mechanismsmust be in place to instruct the network to refuse furthercommunications from the devices. Thus, the network's control mechanismssupport the addressing of problems at multiple levels and thereby allowthe construction of robust management policies.

In general, web services architecture may be poorly suited for deviceapplications. This may be so primarily due to differences between webapplications and device applications, including bi-directionalinitiation of communication, ownership of devices, long-termrelationships, relationships that outlast network associations,inhomogeneous protocols and networks, need for greater security, needfor centralized control, need to inventory and organize devices, complexidentity relationships, and need for resilience against denial ofservice.

As to bi-directional initiation of communication, conversations indevice applications may be initiated both by the device connecting tothe enterprise and by the enterprise connecting to the device. Incontrast, web services are designed to support a model where an entityoutside the enterprise initiates a conversation by connecting to aserver within the enterprise, exclusively. For example, the web servicesarchitecture has no provision for an enterprise to connect to a specificbrowser.

As to ownership of devices, the devices that communicate with anenterprise are usually owned by the enterprise to which they connect,and so enterprises wish to have a long-term understanding of theinventory and connection profiles of devices. This is completelydifferent than the web services model, in which the entities outside theenterprise that connect using HTTP are not owned by the enterprise theyare contacting. The web services protocols, therefore, have a veryanonymous nature when it comes to the identity of the client—the serverknows very little about the client other than incidental informationsuch as IP address that is only loosely connected to any sense of clientidentity, if at all. This is not appropriate for devices: it isimportant to an enterprise, for example, if the enterprise does not hearfrom specific devices over a period of time, or if rogue devices attemptto connect. Device services are always delivered with respect to a knownset of valid devices.

As to long-term relationships, each device interacting with theenterprise has a long-term relationship with the enterprise. Forexample, a kiosk deployed at a customer site has a persistent identityas belonging to that customer, and that identity is important to everytransaction in which the kiosk participates. In the web services model,there is no notion of continuity of identity between sessions, and noadequate mechanisms for layering that notion on top. Browser cookies area very weak attempt to provide such a facility, but they suffer frommany shortcomings.

As to relationships that outlast network associations, the long-termrelationship between a device and the enterprise persists even if thedevice changes its network address due to mobility or changes in networkservice provider. Thus, while the web service model provides access tothe underlying network address as a means of client identification, suchaccess is of little use for device applications.

As to inhomogeneous protocols and networks, a single device applicationmay require many different protocols and networks in order to provideconnectivity to every device. This arises from constraints of devicecapability, as well as a complex and changing landscape of networksrequired to reach every corner of the device world. The web servicesmodel assumes a uniform space of IP networks and the HTTP protocol.

As to security, device applications typically require greater securitythan web services applications, because device applications represent anextension of the boundaries of an enterprise outside the four walls ofthe machine room. Web services, in contrast, represent interactions withoutside parties, and so the range of operations is typically restrictedto a point where security requirements are less.

As to centralized control, the devices of device applications are partof the enterprise, but have no system administrator sitting next tothem. It is therefore important to provide extensive means forcentralized, remote control of devices and their ability to interactwith the enterprise. In web services, the clients are not part of theenterprise, and so there is no such requirement for control. The webservices architecture does not provide any mechanisms for this.

As to the need to inventory and organize devices, devices are part ofthe enterprise, and, as a part of managing devices, enterprises need tobe able to record all devices, organize them in meaningful ways,associate attributes with them, and so on. No such requirement existsfor the clients of web services, since the clients are anonymous,constantly changing, and in no way owned by the enterprise.

As to complex identity relationships, the identities of participants indevice applications can be complex. For example, a particular truckdriver logged into a particular handheld package scanning devicerepresents a complex association of two identities (the driver and thescanner). For purposes of tracking data and assigning policy, it isdesirable to track both of these identities in every interaction. Theweb services model provides very little support for such complexrelationships.

As to denial of service, device applications require resilience againstdenial-of-service attacks. It is important that any attempt atunauthorized access be blocked as soon as possible, so that an attackercannot consume inordinate amounts of CPU before access is denied. In theHTTPS web services model, there is a very expensive exchange to set upan HTTPS connection before the user's password can be entered.Accordingly, the HTTPS model is much more vulnerable to this kind ofattack. In the web services world, this is considered acceptable becausethere is usually useful content to be delivered to the user prior to theuser entering his password, and so the set up of the HTTPS connection isnot considered wasteful.

FIG. 7 illustrates an example data structure 700 for an identity. Anidentity may be used within the ICL system architecture to name acommunication endpoint, as the subject of administrative activity, andto tag individual items of data.

An identity may be used to name a communication endpoint by identifyingan entity that sent or received a communication. Identities aregenerally independent of physical address. Physical-address independenceprovides a more robust way of specifying communication endpoints whenthe enterprise infrastructure, including protocols and networkaddresses, is subject to change.

The authentication of identities also may improve the degree of securityprovided in communications using the ICL. The ICL system architecturemay provide a more robust system because identities are authenticated.In particular, for an identity to be recognized and used within thesystem, a device or other entity claiming the identity must firstauthenticate itself by offering proof that it has a right to that claim.Typically, authentication involves proving knowledge of a secret knownonly to the legitimate holder of the identity, e.g., a password orcryptographic key. When the identity is subsequently used as the basisfor communication, or for administration or data tagging, the strengthof the authentication leads to a higher level of confidence in thesesubsequent uses.

An identity may be the subject of administration activity. The ICLarchitecture provides for a centralized, declarative management ofinfrastructure and of applications. Policy rules that govern managementactivity, such as security parameters and what devices may interact withwhat other devices, may be based on identities and attributes associatedwith identities. For example, authenticated identities may be the basisfor granting authorization to perform various actions within the system.Authenticated identities also may select provisioning information usedto initialize and control autonomous activities, including the securingof communication. Policy based on identities and associated attributesalso may be used by application developers to provision and controlapplication behavior.

An identity may be used to tag individual items of data that arecommunicated across the network. By combining endpoint identities withunique sequence numbers, each data element in the system may be givenits own identity. Data identities may provide applications with metadataabout the data, including how and when the data was created. Identitymay also be used to as a basis for joining together data collected byindependent applications.

The data structure 700 includes an identity identifier 710, ahierarchical identifier 720, attributes 730, a credential 740, and,optionally, a version number 750 and a type 760.

The identity identifier 710 refers to a name that is unique across allidentities. The identity identifier 710 may be referred to as anunderlying name or a “uname.” The identity identifier for a specificidentity is not changed over the lifetime of the identity, and is notreassigned to a new identity. The identity identifier 710 may beassigned in such a way as to be unique within the particular enterprise.In some cases, an identity identifier 710 may be assigned in such a waythat the identity identifier is unique across all enterprises (and notmerely unique within a particular enterprise). This may provide anadvantage in that an identity identifier that is unique acrossenterprises may enable interactions between enterprises withoutrequiring a joint-enterprise naming authority for devices.

In some implementations, an identity identifier 710 may be assigned touniquely identify an identity across enterprises. For example, in suchan implementation, the identity identifier 710 may include a realm 765and a unique identifier 770 (or UID). The realm 765 identifies aparticular instance of the identity service, across all enterprises.When an identity service is assigned a different realm from all otheridentity services, the identity service is able to assign uniqueidentities independently. A realm for an enterprise may be the Internetdomain name owned by the enterprise. When an enterprise operates morethan one identity service and, hence, needs more than one domain name,the enterprise may create child domain names based on the domain name ofthe enterprise for each identity service in the enterprise. This permitsthe assignment of unique identity identifiers across enterprises thatare not centrally managed or in partnership (or otherwise associated)with one another.

The UID uniquely identifies each identity in the realm. The UID may bean integer, such as a randomly-assigned integer, that is assigneduniquely to each identity within a realm. Together, a realm and a UIDform an identity identifier that is unique across enterprises.

Unique identity identifiers are assigned based on an allocation of aparticular identifier from a particular namespace. In one particularimplementation, a namespace provides for different size UIDs andreserves some UIDs for well-known identities. For example, the namespacemay use a 32-bit UID when an enterprise includes a relatively smallnumber of UIDs, a 64-bit UID when an enterprise has exceeded theidentities available using a 32-bit UID, and a 128-bit UID when theenterprise has exceeded the UIDs available using the 32-bit and 64-bitUIDs. This particular namespace may be advantageous. For example, theparticular namespace may result in system efficiencies because shorterUIDs (e.g., 32-bit UIDs rather than 64-bit UIDs) are used where possiblewhile capacity is provided for a very large number of UIDs through useof 64-bit or 128-bit UIDs.

The described implementation also provides an indication as to whetherthe UID is a composite identity, which may provide a benefit. Forexample, an application can determine whether to send a query to theidentity service to recover constituent identities.

The ranges of UIDs included in the table below are valid in a particularimplementation.

Reserved range for well- Range Structure known identities 32 bit UIDsTT.0.[29 bits] TT.0.[19 zeros].[10 bits] 64 bit UIDs TT.10.[60 bits]TT.10.[40 zeros].[20 bits] 128 bit TT.110.[123 TT.110.[83 zeros].[40bits] UIDs bits]

Within each range, the first two bits indicate the type of identity, asdescribed in the table below.

TT Meaning 00 Physical Identity 01 Virtual Identity 10 CompositeIdentity 11 [Reserved for future use]

Within each range, a subset of the range, such as within the 32-bitrange, may be set aside for use by well-known identities. The reserved11 value for the TT bits is available if the identifier managementscheme is extended or replaced with an alternative management scheme.

The hierarchical identifier 720 refers to a name for an identity that isunique within a hierarchical directory namespace maintained by theenterprise. The hierarchical identifier 720 may also be referred to as ahierarchical name or “hname.” Unlike identity identifiers, hierarchicalidentifiers may be changed based, for example, on the needs of theenterprise. The attributes 730 of the identity are associated with theidentity identifier 710. This allows a change to be made to thehierarchical identity of a device without requiring a correspondingchange to the identity identifier, authenticating credentials for adevice based on an identifying identifier, or other data associated withthe identity identifier. The use of a hierarchical namespace may beadvantageous when an enterprise includes a network of a large number ofdevices, such as thousands or millions of devices.

In some implementations, the hierarchical identifier 720 is associatedwith a hierarchical namespace 775. For brevity, only a few of theelements are depicted in the hierarchical namespace 775. Thehierarchical namespace 775 is a directory-like structure that includes aroot 780 and leaves 781-788. The path from the root to a leaf implies ahierarchical identifier, and the leaf is the identity bearing thathierarchical identifier. A hierarchical identifier directory facilitatesscalability and the decentralized administration of a large number ofidentities.

For example, the hierarchical namespace 775 is organized based ongeographic regions, types of devices, and enterprise servers. The leaf781 represents an Eastern region of an organization and all identitiesassociated with the Eastern region are represented as leaves (here,786-788) that descend from leaf 781. To help organize the identitiesassociated with the Eastern region, the hierarchical namespace 775includes a container (represented by leaf 783) to group devices and acontainer (represented by leaf 784) to group enterprise servers. Inhierarchical namespace 775, the devices are also categorized by type,and a container (represented by leaf 785) is used to group scanners,which are a type of device. The scanner devices themselves arerepresented by leaves 786-788. Each terminal leaf in the hierarchicalnamespace 775 represents a device.

The hierarchical identifier of a device (or other identity representedin a hierarchical namespace) is based on the hierarchical path from theroot node to the terminal node that represents an identity. For example,the hierarchical identifier for the device represented by terminal node786 may be a concatenation of the leaf names. Specifically, thehierarchical identifier for leaf 786 may beroot/Eastern/devices/scanners/s42.

In some implementations, the leaf of the tree is not the identityitself, but a reference to the identity's identity identifier 710. Theattributes and credential for the identity are associated with theidentity identifier, not the hierarchical identifier. This allows anidentity's hierarchical identifier to be changed, or the hierarchicalidentifier tree to be reorganized, without affecting the underlyingidentity identifiers. As a result, changes to hierarchical identifiersdo not require changing the imprinted identity identifiers orcredentials in devices.

The attributes 730 refer to data associated with an identity. Theattributes 730 are used to provide additional descriptive informationfor identities. For example, an identity representing a scanner devicemight have as attributes the manufacturer's name and model number. Theattributes 730 typically are represented as one or more name/valuepairs. The attributes 730 may be assigned by the enterprise and/or theapplication developer.

Applications may use the attributes 730 to guide application behavior.For example, an application for monitoring a weather station may haveseveral operating parameters that control the behavior of theapplication for each weather station device under control of theapplication: sampling rate, hours of operation, calibration data, and soon. By storing this information as attributes of the device identities,the application makes this data much more visible to administrators andother applications.

Some implementations may include an attribute schema that defines whatattributes an identity will have, and what types of permitted values anattribute may have. A particular schema may be associated with manyidentities of a similar type. For example, an enterprise may create aschema for each category of device or other identity in the system(e.g., one schema for weather stations, another for package scanners,and another for users).

The credential 740 refers to a credential that the holder of theidentity uses to prove that the identity is authentic. The credentialtypically is known only to the holder of the identity and to theauthentication service, such as authentication service 380 of FIG. 3, orother type of security management service provided by the ICL. Thecredential 740 may be included in the identity data structure 700 or, insome implementations, the credential 740 may be a separate datastructure that, when instantiated, may be associated with theinstantiation of an identity data structure 700. In someimplementations, the credential 740 may be associated with the identityrather than being included in the identity.

The version 750 refers to a version number associated with an identity.A version number of zero is assigned to a newly-created identity. Theversion number is incremented each time a change is made to attributes730 or the hierarchical identifier 740. The version number may provide away for distributed applications to coordinate their respective views ofidentity information. For example, an application has an applicationportion that runs on a device and the application communicates withanother application portion that runs on an enterprise server. Tooperate properly, the application may need a consistent view of thevalues of attributes in both portions of the application (e.g., the oneon the enterprise server and the one on the device). The two applicationportions may exchange the identity version numbers to ensure that bothapplication portions are accessing the same view of the attributes. Someimplementations may not include a version 750 for an identity in anidentity data structure.

An identity may be one of several types, including a physical identity,a composite identity, a virtual identity, or a well-known identity. Thetype 760 identifies the one of several identity types applicable to theparticular identity. Some implementations may not include a type 760 inan identity data structure.

A physical identity may be associated with a concrete, singular,physical entity. Examples of a physical identity include a device or andan enterprise server. A physical identity is associated with a physicaladdress, such as a network address. A physical identity may be anendpoint identity in a communication session using the ICL.

A virtual identity is used to represent a non-physical entity. Forexample, a virtual identity may be a user account that is associatedwith a person. A virtual identity may have the same capabilities withrespect to administration and data tagging as the capabilities of aphysical identity. A virtual identity, however, cannot be an endpointidentity in a communication session using the ICL because the virtualidentity is not associated with a physical network address.

A composite identity is used to represent temporal associations betweendifferent kinds of identities (e.g., a specific user logged into aspecific device). Typically, a composite identity combines a physicalidentity with one or more virtual identities. A composite identity mayhave the same capabilities with respect to communication,administration, and data tagging as a physical identity does. Forexample, like a physical identity, a composite identity may be used as acommunications endpoint. This may be accomplished because a compositeidentity has a physical identity as one of its constituents. Thephysical identity of the composite identity maps to the associatedphysical address that is needed to establish communications. The abilityof a composite identity to serve as a communications endpoint mayprovide a benefit including the ability to tag data using the compositeidentity (e.g., a driver using a device), instead of using the deviceidentity, to identify the person who entered the data using the device.

Although a physical identity is limited to a single instantiation, othertypes of identities, such as a virtual identity or a composite identity,may represent a non-physical concept that can, at a given time, exist inany number of instantiations. For example, a user logging onto aparticular device may log on more than once such that each user login isassociated with a composite identity. Virtual and composite identitiesprovide a means for expressing transient relationships betweenseparately administered entities in a system.

Other examples of situations that may benefit from a composite identityinclude a device proxy scenario and an identity chain scenario.

A device proxy may be used to control many devices. For example, an oilwell may include many sensors, at least some of which may not becomputationally powerful enough to operate the software platform. Thesensors may be connected to a concentrator device that acts as a proxyfor the sensors. The proxy may be a computer system that is capable ofoperating the software platform. The proxy then may act as the endpointthat hosts each of the identities associated with the sensors.

One approach may be that the proxy hosts a different physical identityfor each sensor, with all of those identities sharing a physical address(the address of the proxy). An alternative approach is to assign eachsensor a virtual identity and have the proxy create a composite identityfor each sensor, where each composite identity combines the physicalidentity of the proxy with the virtual identity of the sensor. Becausethe physical identity of the proxy is used, communication traffic usesthe proxy's physical address. Compared to using separate physicalidentities for each sensor, this scheme has an advantage that theidentity of the proxy is retained. This enables an application toanalyze characteristics of the proxy as well as characteristics of eachsensor.

An identity chain scenario involves the assignment of a multipleidentities to a particular device. A manufacturer may imprint a distinctidentity into each device manufactured and retain the identityinformation in the manufacturer's own identity database. A customer maypurchase multiple devices from the manufacturer and imprint an identitywith each device and store attributes appropriate to the customer'sbusiness.

The customer may associate a physical identity with each device.Alternatively, a composite identity may be created for each device thatincludes the physical identity imprinted by the manufacturer. Thatoriginal physical identity imprinted by the manufacturer may serve asthe basis for secure authentication, which may eliminate the need forspecial procedures surrounding imprinting that involve a new physicalidentity solely based on the customer requirements. The new compositeidentity may be given the authorization privileges needed for normaldevice operation within the customer's enterprise, whereas the originalphysical identity imprinted by the manufacturer may only haveauthorization to participate in the composite creation process. Theoriginal physical identity imprinted by the manufacturer may also beused when the customer has to interact with the manufacturer's customerservice organization in the event of a device malfunction.

One approach to an identity chain scenario requires some cooperationbetween the manufacturer and the customer. For example, the identityservice of the customer may collaborate with the identity service of themanufacturer to create the composite identity. The composite identitymay be held in the customer's identity service. An alternative approachmay be to provide a customer who purchases the devices from themanufacturer with the relevant portion of the identity database of themanufacturer to be maintained in the identity database of the customer.

The advantages of a composite identity also may be illustrated in thescenario described below. In this scenario, a parcel delivery companyemploys drivers who carry scanner devices. Each scanner device ispermanently associated with an identity that is imprinted on the device.The scanner device is associated with attributes, including the make,model, serial number, and date purchased. A scanner device is notpermanently assigned to a particular driver. Instead, a driver uses ascanner device that the driver selects at the beginning of a deliveryrun. The driver logs into the scanner and the scanner authenticates thename and password of the driver. For the remainder of the delivery run,each action the driver takes using the scanner device is associated withthe name of the driver and the scanner device identifier.

This scenario uses a physical identity, a virtual identity, and acomposite identity. The physical identity is the identity associatedwith the scanner device itself. The virtual identity is the identity ofthe driver. The composite identity is the combination of the scannerdevice (which is a physical identity) and the driver (which is a virtualidentity).

A well-known identity refers to an identity that the ICL needs forproper operation. Well-known identities may be allocated from a reservedportion of the UID namespace, which provides that the meaning of aparticular reserved UID is the same in every realm.

Some implementations may include a historical archive of identities andattribute values, particularly when historical databases of device dataare being kept. An implementation may include an identity historicalarchive that stores a permanent record of device attributes as theattributes existed at some, or any, point in time. A record is stored inthe identity historical archive for each change that is made to anattribute of an identity. When a new identity is created, a record isstored in the identity historical archive. The identity historicalarchive records also include the date and time when the record wascreated.

The authentication of an identity may involve three processesillustrated in FIG. 8. The first of these is an imprinting process 850for imprinting an identity into an endpoint 810. The initiating endpoint810 performs a portion of the imprinting process (step 851 i), as doesthe authentication service 820 (step 851 s). In one implementation, aninitiating endpoint 810 may send a request for imprinting to theauthentication service 820. The request may include, for example, anidentifier for the initiating endpoint 810. In another implementation, ahuman administrator interacting directly with the authentication service820 may request that the initiating endpoint 810 be imprinted. When theauthentication service 820 receives the request to imprint theinitiating endpoint 810, the authentication service 820 associates theinitiating endpoint 810 with an identity identifier and sends theidentity identifier to the initiating endpoint 810. The authenticationservice 820 also sends to the initiating endpoint 810 a long-termauthentication credential that encapsulates a secret shared between theendpoint 810 and an authentication service 820. The initiating endpoint810 receives and stores both the identity identifier 841 and thelong-term authentication credential 842.

For a physical identity, the imprinting process is typically performedonce for an endpoint, and imbues (or otherwise associates) an endpointwith a physical identity. When an endpoint is to have more than onephysical identity, then the imprinting process 850 is performed once foreach physical identity. The creation of a composite identity is anotherform of imprinting. Regardless of the type of identity imprinted, at theconclusion of the imprinting process 850, the endpoint 810 possesses anidentity identifier 841, and a long-term authentication credential 842that encapsulates a secret shared between the endpoint 810 and anauthentication service 820.

The second process is a registration process 860 in which an endpoint810, having been previously imprinted, registers with the authenticationservice 820. The initiating endpoint 810 performs a portion of theregistration process (step 8611), as does the authentication service 820(step 861 s). Typically, an initiating endpoint 810 sends a request forregistration to the authentication service 820. The request forregistration may include the identity identifier for the initiatingendpoint 810. The authentication service 820 then sends to theinitiating endpoint 810 a short-term authentication credential thatencapsulates a secret shared between the endpoint 810 and anauthentication service 820. The initiating endpoint 810 receives andstores the short-term authentication credential 843.

Unlike the long-term authentication credential, however, the secretencapsulated in the short-term authentication credential 843 is validonly for the duration of the registration which may be, for exampleuntil the device is powered down, or until a pre-established expirationperiod elapses. As an optional part of the registration process 860, theendpoint 810 may advertise its physical address to the authenticationservice 820. This may be carried out with the aid of a presence andavailability service such as the ICL presence and availability service(item 385 in FIG. 3). In carrying out the registration process, theauthentication service 820 may consult a policy service such as the ICLpolicy service (item 395 in FIG. 3) to determine if the endpointidentity 810 is authorized to register and/or advertise its physicaladdress. The registration process 860 involves a mutual authenticationbetween the endpoint 810 and the authentication service 820 that usesthe long-term authentication credential previously established by theimprinting process 850.

Typically, the registration process 860 is performed many times over thelifetime of an endpoint, such as each time a physical device powers up,or when a composite identity is created, or after a previousregistration has expired. At the conclusion of the registration process860, the endpoint 810 possesses a short-term authentication credential843 that encapsulates a secret shared between the endpoint 810 and anauthentication service 820.

The third process is a session establishment process 870 in which aninitiating endpoint 810, having previously registered, establishes acommunication session with an accepting endpoint 830, which has alsopreviously registered. At the conclusion of the session establishmentprocess 870, the initiating endpoint 810 and the accepting endpoint 830are each in possession of a session key 844. The session key 844 is asecret shared between the two endpoints and is valid for the currentsession only. The session key may subsequently be used by the twoendpoints to encrypt their communication and to create data integritychecks. The initiating endpoint 810 and the accepting endpoint 830 mayalso each be in possession of policy information 845 specified by theauthentication service 820 for use in governing the subsequentcommunication between the endpoints. Examples of policy informationinclude whether to encrypt the subsequent communication, whether toemploy data integrity checks in the subsequent communication, and theparticular algorithms to employ for these operations.

Broadly speaking, the session establishment process 870 is carried outin two phases. In the first phase, the initiating endpoint 810 and theauthentication service 820 mutually authenticate one another and theinitiating endpoint 810 receives authentication material from theauthentication service 820. In the second phase, the initiating endpoint810 uses the received authentication material to establish acommunication session with the accepting endpoint 830.

More specifically, the first phase of the session establishment process870 includes a mutual authentication between the endpoint 810 and theauthentication service 820 (steps 871 i and 871 s). The initiatingendpoint 810 communicates with the authentication service 820 toindicate a desire to communicate with an accepting endpoint 830. Theauthentication service 820 also provides the initiating endpoint 810with a session key 844. In some implementations, the authenticationservice 820 also may provide policy information 845. In carrying out thefirst phase of the session establishment process, the authenticationservice 820 may consult a policy service, such as the ICL policy service395 in FIG. 3, to determine if the endpoint identity 810 is authorizedto communicate with the accepting identity 830, and/or to determine whatpolicy information applies to the session.

In some implementations, the authentication service 820 may provide theinitiating endpoint 810 two copies of the session key. One copy of thesession key may be encrypted using the short-term authenticationcredential 843 of the initiating endpoint 810 and may be used by theinitiating endpoint. The other copy of the session key may be encryptedusing either the short-term authentication credential or the long-termauthentication credential of the accepting endpoint 830 and may be usedby the accepting endpoint 830. This may help to protect the session keyfrom being used by unauthorized parties. This also may prevent theinitiating endpoint 810 from tampering with the session key informationbefore the session key is received by the accepting endpoint 830.

Similarly, the authentication service 820 may provide the initiatingendpoint 810 two copies of the policy information. One copy of policyinformation may be encrypted using the short-term authenticationcredential 843 of the initiating endpoint 810, and the other copy ofpolicy information may be encrypted using either the short-termauthentication credential or the long-term authentication credential ofthe accepting endpoint 830. This may help to protect the policyinformation from being used by unauthorized parties. This also mayprevent the initiating endpoint 810 from tampering with the policyinformation before the policy information is received by the acceptingendpoint 830.

The second phase of the session establishment process 870 (steps 872 iand 872 a) involves a mutual authentication between the initiatingendpoint 810 and the accepting endpoint 830. The mutual authenticationin the second phase makes use of the session key 844.

In the second phase of the session establishment process 870, theinitiating endpoint 810 delivers to the accepting endpoint 830 thesession key 844 and the policy information 845 obtained from theauthentication service 820 during the first phase.

Specific implementations of the session establishment process 870 mayinclude, in either the first phase or the second phase or both,additional messages not explicitly indicated in FIG. 8. For example, ifthe short-term authentication credential of the accepting endpoint 830is used by the authentication service 820 to encrypt the session key 844for delivery to the accepting endpoint 830, additional messages may beused so that the initiating endpoint 810 can obtain the credential fromthe accepting endpoint 830 and relay it to the authentication service820.

The registration process 860 and the session establishment process 870both involve the authentication of one party to another. For example, inthe registration process 820, the endpoint 810 authenticates itself tothe authentication service 820, and the authentication service 820likewise authenticates itself to the endpoint 810. When one partyauthenticates itself to another party, it may do so using a challengeand response protocol. In general, a challenge and response protocol isan authentication approach in which an entity sends a nonce (anon-repeatable number) that the recipient cryptographically modifiesusing a shared key and returns to the challenger. The challengerauthenticates the recipient by confirming that the modified nonce hasthe correct value. In one implementation, the shared key may be a singlekey that is known only by the two parties to the authentication, wherethe operation of cryptographically modifying the nonce uses a symmetriccryptographic algorithm. In another implementation, the shared key maytake the form of a public/private key pair, where the private key isknown only to the recipient and the public key is known by thechallenger (though not necessarily exclusively by the challenger). Inthis implementation, the operation of cryptographically modifying thenonce uses an asymmetric (public key) cryptographic algorithm. In anycase, the challenge and response protocol confirms the identity of therecipient because the recipient is presumed to be the only entity inpossession of the necessary key to produce a correct response. Thesignificance of the non-repeatability of the nonce is to protect againsta “replay attack,” in which an unauthorized party uses a responseintercepted from a prior run of the challenge and response protocol tomasquerade as the authentic recipient.

In one implementation, a nonce may be a large random number. In anotherimplementation, a nonce may be a sequence number. In yet anotherimplementation, a nonce may be a timestamp derived from the current dateand time. When a timestamp is used, and both parties may be assumed tohave synchronized clocks, the challenge and response protocol may beimplemented without the challenger explicitly sending the nonce to therecipient, because the recipient may presume the nonce to be the currenttimestamp. Many of the applications for which the ICL may be used,however, employ network devices that do not include a real-time clock,and therefore the use of random number or sequence number nonces may bepreferred.

The session establishment process 870 may be readily combined with thecommunication process 400 of FIG. 4. The first phase of the sessionestablishment process 870 (steps 871 i and 871 s of FIG. 8) may becombined with steps 430 ii through 440 ii of FIG. 4. In thiscombination, the authentication service 820, in addition to itsresponsibilities with respect to FIG. 8, also performs the translationof the acceptor identity to a physical address, corresponding to step435 pa of FIG. 4. Likewise, the second phase of the sessionestablishment process 870 (steps 872 i and 872 a of FIG. 8) may becombined with steps 450 ii through 470 ia of FIG. 4. In thiscombination, once the physical connection has been established betweenthe two endpoints (that is, following step 470 ii of FIG. 4), messagesare exchanged between the two endpoints to carry out the second phase ofsession establishment (steps 872 i and 872 a of FIG. 8). The session key844 and policy information 845 obtained from the second phase of sessionestablishment may then be used by the ICL to perform additionalcomputation or checks (such as encryption/decryption and using messageauthentication codes (MACs)) during application communication (steps 480ia, 480 ii, 480 in, 480 an, 480 ai, and 480 aa of FIG. 4).

FIG. 9 shows a process 900 for communicating between an endpointidentity 905, an authentication service 910, a policy service 915, and apresence and availability service 920 to register the endpoint identity905. This process is an example of the registration process 860 of FIG.8. Once registered, an endpoint identity may establish connections withother another identity using the ICL. Optionally, the endpoint identity905 may register with the presence and availability service 920 toannounce the presence of the endpoint identity 905 on the network.Announcement allows the endpoint identity 905 to accept ICL sessions (inaddition to initiating ICL sessions).

Typically, an endpoint identity that is a physical identity, such as adevice, requests registration when the physical identity powers up. Anendpoint identity also may be registered in other situations, such aswhen a composite identity is created, or upon determining that thecurrent short-term authentication credential of the endpoint identityhas either expired, or is close to expiring. The endpoint identity 905may be a physical identity, such as a device (e.g., device 110, 115, 120or 125 of FIGS. 1 and 2) or an enterprise server, such as enterpriseapplication 105 of FIGS. 1 and 2. The endpoint identity 905 also may bea composite identity, such as a user logged into a particular device.The authentication service 910 may be an authentication service of theICL, such as authentication service 380 of FIG. 3. The policy service915 may be a policy service of the ICL, such as policy service 395 ofFIG. 3. The presence and availability service 920 may be a presence andavailability service of the ICL, such as the presence and availabilityservice 385 of FIG. 3.

The registration process begins when the endpoint identity 905 sends tothe authentication service 910 a registration initiate message (step 930e). The registration initiate message also may be referred to as aregistration request. The registration initiate message includes anidentity identifier associated with the endpoint identity 905 and anonce challenge. The nonce challenge may be referred to as an endpointchallenge. The registering endpoint identity 905 may also attach amessage authentication code (MAC) to the registration initiate message,using the endpoint identity's long-term authentication credential.

The authentication service 910 receives the registration initiatemessage and endpoint challenge (step 930 a). If the registrationinitiate message includes a MAC, the authentication service 910 verifiesthe attached MAC. This may confirm the authenticity and integrity,though not the freshness, of the received message.

The authentication service 910 sends a registration authenticationchallenge message to the registering endpoint identity (step 935 a). Theregistration authentication challenge message includes a response to thechallenge received from the endpoint identity 905, and a new noncechallenge generated by the authentication service 910. In oneimplementation, the response to the challenge received from the endpointidentity 905 may be implemented by including the nonce received in step930 a together with a MAC derived using the long-term authenticationcredential of the registering endpoint identity 905. The identityidentifier of the endpoint identity 905 also may be included in theregistration authentication challenge message.

The registering endpoint identity 905 receives the registrationauthentication challenge message and the response to the endpointchallenge (step 935 e). The registering endpoint identity 905authenticates the authentication service 910 by verifying the responseto the endpoint identity's original challenge (step 937 e). When theresponse is implemented using a MAC, the authentication also may verifythe authenticity and integrity of the registration authenticationchallenge message itself. When the authentication service 910 fails torespond successfully to the challenge (e.g., the endpoint identity 905receives an incorrect response or does not receive a response at all),the endpoint identity 905 terminates the process 900.

When the endpoint identity 905 receives a correct response from theauthentication service 910, the registering endpoint identity 905 thenresponds by sending a registration authentication response message tothe authentication service 910 (step 940 e). The registrationauthentication response message includes a response to the challengereceived from the authentication service 910. In addition, if theregistering endpoint identity intends to accept ICL communicationsessions (in addition to or as opposed to initiating ICL sessions), theregistering endpoint identity includes an optional announcement requestin the registration authentication response message. The announcementrequest includes the registrant's physical address. The physical addressmay take the form of an ICL global address (such as data structure 500in FIG. 5). In one implementation, the response to the challengereceived from the authentication service 910 may be accomplished byincluding the nonce received in step 935 e together with a MAC derivedusing the long-term authentication credential of the registeringendpoint identity 905. The identity identifier of the endpoint identity905 and the two nonces used up to this point also may be included in theregistration authentication response message.

The authentication service 910 receives the registration authenticationresponse message (step 940 a). The authentication service 910authenticates the endpoint identity 905 by verifying the response to theauthentication service's original challenge (step 942 a). When theresponse is implemented using a MAC, the authentication also may verifythe authenticity and integrity of the registration authenticationresponse message itself. When the registering endpoint identity 905fails to respond successfully to the challenge (e.g., the authenticationservice 910 receives an incorrect response or does not receive aresponse at all), the authentication service 910 terminates the process900. When the authentication service 910 receives from the endpointidentity 905 a correct registration authentication response message, theauthentication service 910, sends a request to the policy service 915 todetermine whether the endpoint identity 905 is authorized to register(step 945 a). The policy service 915 receives the registrationauthorization request (step 945 p). The policy service 915 thendetermines whether registration is authorized for the endpoint identity(step 950 p). This may be accomplished, for example, when the policyservice 915 accesses policy information, such as the policy database 345of FIG. 3, that specifies rules for determining whether a given endpointidentity may be registered. In one implementation, the policy service915 accesses identity information, such as the identity database 340 ofFIG. 3, to determine a policy role for each identity, and then uses thatrole to evaluate policy rules that specify what roles are permitted toregister. The policy service 915 sends to the authentication service 910an indication as to whether registration is authorized for the endpointidentity 905 (step 955 p).

The authentication service 910 receives the indication as to whetherregistration is authorized for the endpoint identity 905 (step 955 a).When registration is not authorized, the authentication service 910 maysend a notification message to the endpoint identity 905 that indicatesthat the endpoint identity 905 is not permitted to register.

When registration is authorized and an optional announcement requestfrom the endpoint identity 905 has been received, the authenticationservice 910 sends an announcement request on behalf of the endpointidentity 905 to the presence and availability service 920 (step 960 a).

The presence and availability service 920 receives the announcementrequest on behalf of the endpoint identity 905 (step 960 pa). Thepresence and availability service 920 then sends to the policy service915 a request to determine whether announcement of the endpoint identity905 is authorized (step 965 pa).

The policy service 915 receives the announcement determination request(step 965 p) and determines whether announcement of the endpointidentity 905 is authorized (step 970 p). This may be accomplished, forexample, when the policy service 915 accesses policy information, suchas the policy database 345 of FIG. 3, that specifies what types ofdevices may be announced and determines whether the endpoint identitymay be announced. The policy service 915 sends to the presence andavailability service 920 an indication as to whether announcement isauthorized for the endpoint identity 905 (step 975 p).

The presence and availability service 920 receives the indication as towhether announcement is authorized for the endpoint identity 905 (step975 pa). When announcement is authorized, the presence and availabilityservice 920 publishes availability information for the endpoint identity905 (step 980 pa). The availability information may include, forexample, an identity identifier and a physical address. The publicationof availability information for the endpoint identity may beaccomplished, for example, by updating presence and availabilityinformation, such as the presence and availability database 335 of FIG.3, in a manner such that another identity may access the presence andavailability information using the identity communication layer. Anotheridentity may use the presence and availability information to establishan ICL session with the endpoint identity 905. The availability service920 sends to the authentication service 910 an announcement indicationas to whether the announcement is authorized for the endpoint identity905 (step 985 pa). The format of this announcement indication may be thesame as or different from the announcement indication received from thepolicy service 915.

The authentication service 910 receives the announcement indication(step 985 a). When announcement is not authorized, the authenticationservice 910 sends to the endpoint identity 905 a notification that theregistration process failed and terminates the process 900. In otherwords, the endpoint identity 905 fails registration when the endpointidentity 905 requests a presence and availability announcement for whichthe endpoint identity 905 is not authorized. The endpoint identity 905fails registration even when the endpoint identity 905 has beensuccessfully authenticated and is authorized to be registered. However,in some implementations, the endpoint identity 905 may be registeredeven when the endpoint identity 905 requests announcement and is not soauthorized.

When the registering endpoint identity 905 is successfully authenticatedand authorized for registration, and when, in the event that anannouncement request accompanied the registration and the announcementrequest succeeded, the authentication service 910 generates a short-termauthentication credential for the endpoint identity 905 (step 990 a).The short-term authentication credential may be used to establish asecure session with another endpoint over the ICL (such as through theprocess 870 of FIG. 8). The short-term authentication credential may bereferred to as an ICL authentication credential. The short-termauthentication credential includes wrapped (serialized and encrypted)and unwrapped portions. The unwrapped portion may contain a short-termauthentication key and a credential lifetime. The wrapped portion isencrypted with a secret key known only to the authentication service,and may include the same short-term 10 authentication key as in thecredential's unwrapped portion, the registrant's identity identifier,the time-of-issue of the short-term authentication credential, and/orthe credential's lifetime. The wrapped portion may be referred to as theregistrant's “ticket granting ticket.”

The ticket granting ticket may permit the registering endpoint identity905 and the authentication service 910 to share a short-termauthentication key, without the authentication service 910 needing tomaintain state information for a registered endpoint. Instead, theendpoint identity 905 maintains the state on behalf of theauthentication service 910, by maintaining the ticket granting ticket aspart of short-term authentication credential of the endpoint identity905. When, in a subsequent operation, the authentication service 910 mayrequire access to the short-term authentication key in order to completean authentication operation, the endpoint identity 905 provides the keyto the authentication service by sending a copy of the ticket grantingticket. Because the ticket granting ticket is encrypted using a keyknown only to the authentication service 910, the endpoint identity 905is unable to tamper with the ticket granting ticket. Relieving theauthentication service 910 from maintaining state information forregistered endpoints may help to improve the scalability of the system.

The authentication service 910 sends the short-term authenticationcredential to the registering endpoint entity 905 in a registrationresponse message (step 995 a). The registration response messageincludes a portion encrypted with a key derived from the registrant'slong-term authentication key. The encrypted portion of the registrationresponse message includes at least the short-term authentication keywithin the unwrapped portion of the short-term authenticationcredential. This may help ensure the confidentiality of the short-termauthentication key during message transit. The registration responsemessage may also include the registrant's identifier, the registrant'snonce, the authentication service's nonce and a MAC derived using thelong-term authentication credential of the registering endpoint 905.

The registering endpoint identity 905 receives the registration responsemessage (step 995 e). When the registration response message contains aMAC, the registering endpoint identity 905 verifies the integrity of themessage contents using the MAC. Due to the presence of the registrant'snonce in the message, MAC verification asserts the integrity,authenticity and freshness of the registration response. If theregistration response message is correct, the endpoint identity 905extracts the short-term authentication credential. The endpoint identity905 may subsequently use the short-term authentication credential toestablish an ICL session.

During the registration process 900, the communication between theendpoint identity 905 and the authentication service 910 uses unsecuredICL relay sessions (which may, for example, correspond to the globaladdress layer 615 and 625 in FIG. 6) in which the endpoint identity 905and the authentication service 910 are identified by their networkglobal addresses (and not by ICL identities). The communications betweenthe authentication service 910, the policy service 915, and the presenceand availability service 920 use secure ICL sessions that use ICLidentities.

FIGS. 10A and 10B depict a process 1000 where a session initiator 1005establishes a secure ICL communications session with a session acceptor1025. This process is an example of the session establishment process870 of FIG. 8. In general terms, process 1000 is a three-party, mediatedauthentication protocol where mutual authentication of session initiatorand acceptor is achieved through the participation of the authenticationservice 1010. In addition to mediating the mutual authentication ofinitiator and acceptor, the authentication service 1010 blocks theestablishment of unauthorized sessions and securely distributespolicy-derived session parameters to both initiator and acceptor.Session parameters may include keying material such as a session key,and quality-of-protection parameters such as whether the initiator andacceptor should use encryption when communicating with each other, whatencryption algorithm to use, and whether to use message authenticationcode (MAC) integrity checks. The authentication service 1010collaborates with the policy service 1015 and presence and availabilityservice 1020 when engaged in the session establishment process 1000. Theauthentication service 1010 also may, in some implementations,collaborate with an identity service.

The process 1000 begins when the session initiator 1005 sends to theauthentication service 1010 a session initiate message (step 1030 si).The session initiate message includes an identity identifier associatedwith the session initiator 1005, a nonce challenge, and the ticketgranting ticket associated with the session initiator 1005. The ticketgranting ticket may have been previously provided by the authenticationservice 1010 or other security management facility, such as by usingprocess 900 described previously with respect to FIG. 9. The ticketgranting ticket may include the short-term authentication credentialassociated with the session initiator 1005. The ticket granting ticketalso may indicate the identity of the session initiator 1005, such as byincluding an identity identifier for the session initiator 1005, thetime that the ticket granting ticket was issued to the session initiator1005, and a lifetime for the ticket granting ticket. The contents of theticket granting ticket may be encrypted (or wrapped) with the secret keyof the authentication service 1010. The session initiator 1005 also mayattach a message authentication code (MAC) to the session initiatemessage using the session initiator's short-term authenticationcredential.

The authentication service 1010 receives the session initiate message(step 1030 a). The authentication service 1010 decrypts the ticketgranting ticket contained in the session initiate message to extract acopy of the short term authentication credential associated with thesession initiator 1005, the time-of-issue of the credential, and thecredential's lifetime (step 1035 a). If the session initiate messagecontains a MAC, the authentication service 1010 verifies the attachedMAC using the short-term authentication credential extracted from theticket granting ticket. This may confirm the integrity and authenticityof the received message.

The authentication service 1010 inspects the time-of-issue and lifetimeto determine the freshness of the ticket granting ticket (step 1035 a).When the lifetime has expired, the authentication service 1010terminates the process 1000. When the authentication service 1010terminates the process 1000, the authentication service 1010 also maysend to the session initiator 1005 a message to inform the sessioninitiator 1005 of the expiration of the ticket granting ticket.

When the ticket granting ticket is judged to be authentic and fresh, theauthentication service 1010 responds by sending a session authenticationchallenge message to the session initiator (step 1040 a). The sessionauthentication challenge message includes a response to the challengereceived from the session initiator 1005, and a new nonce challengegenerated by the authentication service 1010. In one implementation, theresponse to the challenge received from the session initiator 1005 maybe implemented by including the nonce received in step 1030 a togetherwith a MAC derived using the short-term authentication credential of thesession initiator 1010. The identity identifier of the session initiator1005 also may be included in the session authentication challengemessage.

The session initiator 1005 receives the session authentication challengemessage (step 1040 si). The session initiator 1005 authenticates theauthentication service 1010 by verifying the response to the sessioninitiator's original challenge (step 1045 si). When the response isimplemented using a MAC, the authentication may also verify theauthenticity and integrity of the session authentication challengemessage itself. When the authentication service 1010 fails to respondsuccessfully to the challenge (e.g., the session initiator 1005 receivesan incorrect response or does not receive a response at all), thesession initiator 1005 terminates the process 1000.

When the session initiator 1005 receives a correct response from theauthentication service 1010, the session initiator 1005 then responds bysending to the authentication service 1010 a session authenticationresponse message (step 1050 si). The session authentication responsemessage includes a response to the challenge received from theauthentication service 1010 and an identity identifier associated withthe session acceptor 1025. In one implementation, the response to thechallenge received from the authentication service 1010 may beaccomplished by including the nonce received in step 1040 si togetherwith a MAC derived using the short-term authentication credential of thesession initiator 1005. The identity identifier of the session initiator1005 and the session initiator's nonce also may be included in thesession authentication response message. In some implementations, ahierarchical name for the session acceptor 1025 may be included in theauthentication response message, as opposed to an identity identifier.

The authentication service 1010 receives the session authenticationresponse message (step 1050 a) and authenticates the session initiator1005 (step 1051 a). The authentication service 1010 authenticates thesession initiator 1005 by verifying the response to the authenticationservice's original challenge, which may include a MAC for verifying theauthenticity and integrity of the session authentication responsemessage itself. When the session initiator 1010 fails to respondsuccessfully to the challenge (e.g., the authentication service 1010receives an incorrect response or does not receive a response at all),the authentication service 1010 terminates the process 1000.

When the authentication service 1010 receives from the session initiator1010 a correct session authentication response message, theauthentication service 1010 sends to the policy service 1015 anauthorization determination request to determine whether the sessioninitiator 1010 is authorized to initiate a session with the sessionacceptor 1025 (step 1052 a). The request includes the identityidentifier of the session initiator 1010 and the identity identifier ofthe session acceptor 1025.

In some implementations, when the authentication response messageincludes a hierarchical name for the session acceptor 1025 instead of anidentity identifier, the authentication service 1010 may have to queryan identity service, such as identity service 390 of FIG. 3, for theidentity identifier associated with the hierarchical identifier of thesession acceptor 1025. The identity service may access the identityidentifier for a provided hierarchical identifier thorough the use of anidentity database, such as the identity database 340 of FIG. 3, thatassociates an identity identifier with a corresponding hierarchicalidentifier. Once the authentication service 1010 receives the identityidentifier of the session acceptor 1025, the authentication service 1010may proceed as though the identity identifier were received directly inthe authentication response message.

After the authentication service 1010 sends the session authorizationdetermination request to the policy service 1015 (step 1052 a), thepolicy service 1015 receives the authorization determination request(step 1052 p) and determines whether the session initiator 1005 isauthorized to establish a session with the identified session acceptor(step 1054 p). This may be accomplished, for example, when the policyservice 1015 accesses policy information, such as the policy database345 of FIG. 3, that specifies the rules for determining whether aspecified endpoint identity is permitted to establish a session with asecond specified endpoint identity. In one implementation, the policyservice 915 accesses identity information, such as the identity database340 of FIG. 3, to determine a policy role for each identity, and thenuses those roles to evaluate policy rules that specify what roles arepermitted to establish sessions with what other roles. The policyservice 1015 sends to the authentication service 1010 an indication asto whether a session between the session initiator 1005 and the sessionacceptor 1025 is authorized (step 1056 p).

The authentication service 1010 receives the indication as to whetherthe session is authorized (step 1056 a). If the session is notauthorized, the authentication service 1010 terminates the process 1000.When the session is authorized, the authentication service then sends tothe presence and availability service 1020 a request for the address ofthe identified session acceptor (step 1058 a).

The presence and availability service 1020 receives the address request(step 1058 pa) and determines the address of the identified sessionacceptor (step 1060 pa). This may be accomplished, for example, when thepresence and availability service 1020 accesses presence andavailability information, such as the presence and availability database335 of FIG. 3, that specifies an address associated with an identity.

The presence and availability service 1020 sends to the authenticationservice 1010 the address of the session acceptor (step 1062 pa). Theauthentication service 1010 receives the address of the session acceptor1025 and sends to the session initiator the session acceptor addressmessage (step 1062 a). The session acceptor address message includes theaddress of the session acceptor 1025 received from the presence andavailability service 1020. The session acceptor address message may alsoinclude the identity identifier of the session initiator 1005, theidentity identifier of the session acceptor 1025, the sessioninitiator's nonce, the authentication service's nonce, and a messageauthentication code (MAC) derived using the session initiator'sshort-term credential. The session initiator 1005 receives the sessionacceptor address message (step 1062 si). When the session acceptoraddress message contains a MAC, the session initiator 1005 verifies theintegrity of the message contents using the MAC. Due to the presence ofthe session initiator's nonce in the message, the MAC verificationasserts the integrity, authenticity, and freshness of the sessionacceptor address message.

The session initiator 1005 then sends a session acceptor token requestmessage to the session acceptor 1025 (step 1064 si). The sessionacceptor token request message may indicate the desire of the sessioninitiator 1005 to initiate a session with the session acceptor 1025. Thesession initiator 1005 may use the address of the session acceptor 1025received in step 1062 si in order to know where to send the sessionacceptor token request message. The session acceptor token requestmessage may include the identity identifier of the session initiator1005 and the identity identifier of the session acceptor 1025. Thesession acceptor token request message may also include the sessioninitiator's nonce.

The session acceptor 1025 receives the token request message (1064 sa)and responds by sending a session acceptor token response message (step1065 sa). The session acceptor token response message includes a noncechallenge generated by the session acceptor 1025, and the ticketgranting ticket of the acceptor 1025. As described previously withrespect to step 1030 si, the session acceptor 1025 may receive a ticketgranting ticket upon registering as an identity on the network capableof receiving communications. The nonce challenge may be wrapped(encrypted) using the short-term authentication credential of thesession acceptor 1025. The wrapped nonce challenge may further includethe identity identifier of the session initiator 1005, the identityidentifier of the session acceptor 1025, and a cryptographic hash of thetwo identity identifiers and the nonce challenge. All of these wrappedcomponents, considered collectively, may be referred to as the “acceptortoken.” In addition to the acceptor token and the ticket granting ticketof the session acceptor 1025, the session acceptor token responsemessage may include the identity identifier of the session initiator1005, the identity identifier of the session acceptor 1025, and thesession initiator's nonce.

The session initiator 1005 receives the session acceptor token responsemessage (step 1065 si). The session initiator 1005 sends to theauthentication service 1010 a session credential request message (step1070 si). The session credential request message includes the ticketgranting ticket of the session acceptor 1025. The message may alsoinclude the session acceptor's nonce challenge wrapped using the sessionacceptor's short-term authentication credential. In one implementation,the nonce challenge may be included as part of an acceptor token, whichthe session initiator 1005 extracts from the session acceptor tokenresponse message. The session credential request message may alsoinclude the identity identifier of the session initiator 1005, theidentity identifier of the session acceptor 1025, the initiator's nonce,the authentication service's nonce, and a message authentication code(MAC) derived using the short-term authentication credential of thesession initiator 1005.

The authentication service 1010 receives the session credential requestmessage (step 1070 a). When the session credential request messagecontains a MAC, the authentication service 1010 verifies the integrityof the message contents using the MAC. As noted above, the presence ofthe session acceptor's nonce in the message permits MAC verification toassert the integrity, authenticity and freshness of the sessioncredential request. The authentication service 1010 decrypts the ticketgranting ticket of the session acceptor 1025 (and, in the course ofdecrypting the ticket, verifies its integrity and authenticity) toextract the acceptor's short-term authentication credential (step 1071a). The authentication service 1010 also inspects the ticket grantingticket's “time-of-issue” and lifetime to determine the freshness of theticket granting ticket (step 1071 a). When the lifetime has expired, theauthentication service 1010 terminates the process 1000, and theauthentication service 1010 also may send a message to the sessioninitiator 1005 and/or to the session acceptor 1025 to indicate that thesession acceptor's ticket granting ticket has expired.

When the ticket granting ticket is judged to be authentic, fresh, andunexpired, the authentication service 1010 sends session policydetermination request to the policy service 1015 to determine policyinformation that applies to a communication session between the sessioninitiator 1010 and the session acceptor 1025 (step 1072 a). The policyservice 1015 receives the session policy determination request (step1072 p) and determines what session policy settings apply to a sessionbetween the session initiator 1005 and the session acceptor (step 1073p). Session policy settings may include one or more of the settingsdescribed above. The determination of session policy settings may beaccomplished, for example, when the policy service 1015 accesses policyinformation, such as the policy database 345 of FIG. 3, that specifiesthe rules for determining what policy settings apply when a specifiedidentity establishes a session with a second specified identity. In oneimplementation, the policy service 1015 accesses identity information,such as the identity database 340 of FIG. 3, to determine a policy rolefor each identity, and then uses the determined roles to evaluate policyrules that specify what policy settings apply when one role establishesa session with a second role. The policy service 1015 sends to theauthentication service 1010 the session policy settings that apply to asession between the session initiator 1005 and the session acceptor 1025(step 1074 p).

The authentication service 1010 receives the session policy settingsfrom the policy service 1015 (step 1074 a). The authentication service1010 then creates a new session key (or other type of sessioncredential) for the session between the session initiator 1005 and thesession acceptor 1025, and unwraps the session acceptor's nonce that waspreviously received in the session credential request message (step 1075a). The authentication service 1010 sends a session credential responsemessage to the session initiator 1005 (step 1080 a). The sessioncredential response message contains the unwrapped session acceptor'snonce, the policy settings, and the session key. These components may bewrapped (encrypted) using the short-term authentication credential ofthe session initiator 1005. The session credential response message mayalso include a second copy of the policy settings and the session key,wrapped (encrypted) using the short-term authentication credential ofthe session acceptor 1025 extracted from the session acceptor's ticketgranting ticket. The portion that is encrypted using the short-termauthentication credential of the session acceptor 1025 may additionallyinclude any of the identity identifier of the session initiator 1005,the identity identifier of the session acceptor 1025, the sessionacceptor's nonce and/or a cryptographic hash of all wrapped components.All of the components that are wrapped using the short-termauthentication credential of the session acceptor 1025, consideredcollectively, may be referred to as the “session ticket.” In addition tothe session acceptor's nonce, the policy settings, the session key, andthe session ticket, the session credential response message may containthe identity identifier of the session initiator 1005, the identityidentifier of the session acceptor 1025, the session initiator's nonce,the authentication service's nonce, and a message authentication code(MAC) derived using the short-term authentication credential of thesession initiator 1005.

The session initiator 1005 receives the session credential responsemessage (step 1080 si). When the session credential response messagecontains a MAC, the session initiator 1005 verifies the integrity of themessage contents using the MAC to assert the integrity, authenticity andfreshness of the session credential request. The session initiator 1005extracts the acceptor's nonce, the policy settings, and the session keyfrom the session credential response message, decrypting the session keyif necessary. The session initiator 1005 then sends to the sessionacceptor 1025 a session establishment request message (step 1085 si).The session establishment request message includes a response to thechallenge received from the session acceptor 1025, the session ticket,and the session initiator's nonce, which serves as a nonce challenge tothe session acceptor 1025. In one implementation, the response to thechallenge received from the session acceptor 1025 may be accomplished byincluding the nonce received in step 1080 si together with a MAC derivedusing the session key (also received in step 1080 si). In anotherimplementation, in which the session initiator 1005 received in step1065 si the session acceptor's nonce in unencrypted form, the responseto the challenge received from the session acceptor 1025 may beaccomplished by including the unencrypted nonce received in step 1065 sitogether with a MAC derived using the session key received in step 1080si. The session establishment request message may also include theidentity identifier of the session initiator 1005 and the identityidentifier of the session acceptor 1025.

The session acceptor 1025 receives the session establishment requestmessage (step 1085 sa). The session acceptor 1025 decrypts the sessionticket, extracting the policy settings and the session key, and anyother components included in the session ticket (step 1087 sa). When thesession ticket contains a cryptographic hash, the session acceptor 1025verifies the integrity of the session ticket by verifying that the hashhas the correct value. When the session ticket contains the sessionacceptor's nonce, this may further verify the freshness of the sessionticket.

The session acceptor 1025 then authenticates the session initiator 1005by verifying the response to the session acceptor's original challenge(step 1088 sa). This verification may make use of the session keyextracted from the session ticket. When the response is implementedusing a MAC, this may also verify the authenticity and integrity of thesession establishment request message itself. When the session initiator1005 fails to respond successfully to the challenge (e.g., the sessionacceptor 1025 receives an incorrect response or does not receive aresponse at all), the session acceptor 1025 terminates the process 1000.

When the session acceptor 1025 receives a correct response from thesession initiator 1005, the session acceptor 1025 then responds bysending a session establishment response message to the sessioninitiator 1005 (step 1090 sa). The session establishment responsemessage includes a response to the challenge received from the sessioninitiator 1005. In one implementation, the response to the challengereceived from the session initiator 1005 may be accomplished byincluding the nonce received in step 1085 sa together with a MAC derivedusing the session key (also received in step 1085 sa). The sessionestablishment response message may also include the identity identifierof the session initiator 1005, the identity identifier of the sessionacceptor 1025, and the session acceptor's nonce.

The session initiator 1005 receives the session establishment responsemessage (step 1090 si). The session initiator 1005 authenticates thesession acceptor 1025 by verifying the response to the sessioninitiator's challenge (step 1095 si). When the response is implementedusing a MAC, this may also verify the authenticity and integrity of thesession establishment response message itself. When the session acceptor1025 fails to respond successfully to the challenge (e.g., the sessionacceptor 1005 receives an incorrect response or does not receive aresponse at all), the session initiator 1005 terminates the process1000.

When the session initiator 1005 receives a correct response from thesession initiator 1025, the process 1000 has completed successfully. Thesession initiator 1005 and the session acceptor 1025 are able tosecurely communicate using the shared session key created by theauthentication service 1010 and according to the shared policy settingsdelivered by the authentication service 1010.

FIG. 11 illustrates an example data structure 1100 for a short-termauthentication credential used by an identity to establish acommunication session with another identity. The data structure 1100includes an identity identifier 1110, an issue time 1120, a lifetime1130, a short-term authentication key 1140, and encrypted short-termauthentication data 1150. The encrypted short-term authentication data1150 may be referred to as the “ticket granting ticket.”

The identity identifier 1110 refers to an identifier that uniquelyidentifies the identity associated with the short-term authenticationcredential. The identity associated with the short-term authenticationcredential may be referred to as the credential holder.

The issue time 1120 refers to the time at which the short-termauthentication credential was issued. The lifetime 1130 refers to thetime during which the short-term authentication credential may be used.The lifetime 1130 may be expressed, for example, as a number of secondsmeasured from the issue time 1120. The lifetime 1130 also may beexpressed as an expiration time after which the short-termauthentication credential is no longer valid. The short-termauthentication key 1140 refers to a short-term authentication key thatmay be used by the credential holder to perform tasks such asestablishing a session.

The encrypted short-term authentication data 1150 refers to the resultof encrypting the identity identifier 1110, the issue time 1120, thelifetime 1130, and the short-term authentication key 1140. The encryptedshort-term authentication data 1150 may include the result of using thesecret key of a centralized security facility, such as theauthentication service 910 in FIG. 9, to encrypt the identity identifier1110, the issue time 1120, the lifetime 1130, and the short-termauthentication key 1140.

FIG. 12 shows an example of data structure 1200 for a sessioncredential. The data structure 1200 includes a session credentialidentifier 1210, session data encrypted with the short-termauthorization credential of the session initiator 1220, and session dataencrypted with the short-term authorization credential of the sessionacceptor 1230.

The session credential identifier 1210 refers to an identifier thatuniquely identifies the session credential that optionally may beincluded in the session credential 1200.

The session data 1220 or 1230 may include the acceptor nonce 1220A or1230A, session policy data 1220B or 1230B, and a session key 1220C or1230C or other type of session credential. The session data 1220 or 1230optionally may include one or more of the identity identifier of thesession initiator 1220D or 1230D, the identity identifier of the sessionacceptor 1220E or 1230E, the nonce of the authentication service 1220For 1230F, a message authentication code 1220G or 1230G, and the nonce ofthe session initiator 1220H. The session data encrypted with theshort-term authentication credential of the session initiator 1220 maybe the same as, or may be different from, the session data encryptedwith the short-term authentication credential of the session acceptor1230.

The acceptor nonce 1220A or 1230A refers to the nonce (e.g., asingle-use random number) provided, for example by the session acceptorin conjunction with the session-acceptor challenge during a sessionestablishment procedure, such as described by step 1065 sa of FIG. 10A.

The session policy data 1220B or 1230B may include, for example,information about security requirements, quality requirements, or othertypes of requirements to govern the session. For example, session policydata 1220B or 1230B may include an indication as to whether messageauthentication is required, an indication as to whether messageintegrity is required, an indication as to whether messageconfidentiality is required, an indication as to whether message replaydetection is required, and a network performance parameter, such as aquality of service (QoS) parameter, and a quality of performance (QoP)parameter. The quality parameters may be established, for example, by acentral or decentralized security management facility, such as thepolicy service 395 of FIG. 3, the policy service 915 of FIG. 9, or thepolicy service 1015 of FIGS. 10A and 10B.

The session key 1220C or 1230C refers to a session key that may be usedduring a session to which the session credential 1200 applies. Thesession key may be generated by an authentication service, such asauthentication service 330 of FIG. 3, authentication service 910 of FIG.9, or authentication service 1010 of FIGS. 10A and 10B.

The session initiator identifier 1220D or 1230D refers to an identityidentifier that uniquely identifies the session initiator. The sessionacceptor identity identifier 1220E or 1230E refers to an identityidentifier that uniquely identifies the session acceptor.

The nonce of the authentication service 1220F or 1230F refers to thenonce (e.g., a single-use random number) provided, for example, by theauthentication service in conjunction with the authentication-servicechallenge during a session establishment procedure, such as described bystep 1040 a of FIG. 10A.

The message authentication code 1220G or 1230G may be a messageauthentication code (MAC) derived using the session key, the short-termauthentication credential of the session initiator or the short-termauthentication credential of the session acceptor.

The nonce of the session initiator 1220H refers to the nonce (e.g., asingle-use random number) provided, for example, by the sessioninitiator in conjunction with the session establishment response messageexchange of the session establishment procedure, such as described bystep 1090 sa of FIG. 10B.

FIG. 13 illustrates an architecture 1300 for sending telemetry data froma data producer 1311 to one or more data receivers 1321 a and 1321 b.The data producer 1311 resides within a device or computer system 1310that includes the data producer 1311, a client-side telemetry module1312, and a communications module 1313. In one implementation, thecommunications module 1313 may be an identity-based communicationslayer, such as the ICL endpoint library 305 of FIG. 3, the initiatingICL software 412 of FIG. 4, or the initiating ICL software 612 of FIG.6. The data receivers 1321 a and 1321 b reside on a device or computersystem 1320 that includes the data receivers 1321 a and 1321 b, aserver-side telemetry module 1322, and a communications module 1323. Inone implementation, the communications module 1323 may be anidentity-based communications layer such as the ICL endpoint library 305of FIG. 3, the accepting ICL software 422 of FIG. 4, or the acceptingICL software 622 of FIG. 6.

Telemetry data may consist of a series of data elements defined by thedata producer 1311. The series of data elements may be homogeneous suchthat each successive data element has the same internal structure, orthe series of data elements may be heterogeneous such that eachsuccessive data element may have a different internal structure. A dataproducer may create more than one series of data elements, with eachseries having a meaning that is independent of other series and beingexpected to be used independently of the other series. For example, oneseries of data elements may represent temperature and humidity readingstaken at regular intervals from a weather sensor, while a second seriesof data elements may represent events that are generated each time abutton on a device is pressed.

A data producer 1311 uses the client-side telemetry module 1312 to senddata elements to data receivers 1321 a and 1321 b. Typically, the datareceivers 1321 a and 1321 b have expressed an interest in receivingtelemetry data from the data producer 1311. In one implementation, adata receiver 1321 a may register with the server-side telemetry module1322 to indicate interest in receiving telemetry data from a particulardata producer and receiving a particular series of data elements. Inanother implementation, a configuration file may be provided to theserver-side telemetry module 1322 to specify the particular datareceivers 1321 a and 1321 b that are to receive the particular series ofdata elements. In some implementations, a data receiver may receivemultiple series of data elements from the same data producer, mayreceive multiple series of data elements from different data producers,and/or may receive only a single series of data elements. In otherimplementations, a data receiver may be receiving only one series ofdata elements, or a data receiver may receive multiple series of dataelements from a single data producer.

The data producer 1311 creates and provides one or more series of dataelements to the client-side telemetry module 1312. A data elementproduced by the data producer 1311 also may be referred to as a clientdata element. The client-side telemetry module 1312 receives the one ormore series of client data elements. The client-side telemetry module1312 may associate additional information with each client data element.The combination of the client data element and the associatedinformation created by the client-side telemetry module 1321 may bereferred to as a telemetry data element.

Examples of additional information that the client-side telemetry module1321 may associate with each telemetry data element includes an identityidentifier associated with the data producer 1311, a series identifierthat is unique across all data series produced by the data producer1311, and/or a data element identifier that is unique across all dataelements produced by the data producer 1311 within a particular dataelement series. A data element produced by the data producer 1311 may bereferred to as a client data element, and the combination of the clientdata element and the associated information created by the client-sidetelemetry module 1321 may be referred to as a telemetry data element.

A key issue in sending and using telemetry data is the construction ofthe data element identifier that the client-side telemetry module 1321associates with each data element. A data element with the properties ofuniqueness, monotonicity, and/or adjacency may be advantageous. Theproperty of uniqueness refers to a data element identifier that isunique across all data elements produced by the data producer 1311within a particular data element series. The property of monotonicityrefers to the sufficiency of a data element identifiers to determine theorder in which data elements were created by the data producer 1311. Theproperty of adjacency refers to the ability to determine that a dataelement is missing in the series. For example, a missing data elementmay be detected through the identification of a gap in the series ofreceived data element identifiers. It may further be desirable for theseproperties to be preserved even when the computer system or device 1310powers down or crashes in between the generation of successive dataelements within a series.

An integer sequence number that is incremented by one for eachsuccessive data element is an example of a data element identifierhaving all three properties of uniqueness, monotonicity, and adjacency.This may be accomplished, for example, when the sequence number that wasmost recently assigned to a data element (e.g., the last sequence numberassigned to a data element) is recorded in a persistent storage that iscapable of surviving the powering down or crash of the device orcomputer system 1310. The recording of the most recently assignedsequence number may help ensure the uniqueness, monotonicity, andadjacency of data element identifiers in the event that the computersystem or device 1310 powers down or crashes in between the generationof successive data elements.

Another example of a data identifier is a pair of integers, with thefirst integer being a generation number and the second integer being asequence number. Each time the device or computer system 1310 powersdown or crashes, the generation number is incremented by one and thesequence number is reset to zero. Between power-down or crash events,the sequence number is incremented by one each time a new data elementis produced. This kind of data identifier has the properties ofuniqueness and monotonicity, and has a limited form of adjacency in thatmissing elements may be detected everywhere except immediately prior toa power down or crash. This kind of data identifier may require lessfrequent access to persistent storage than a single integer sequencenumber data identifier. This may be, for example, because only thegeneration number may need to be recorded in persistent storage, and thegeneration number changes only after a power-down or crash event ratherthan after the generation of each successive data element.

In one implementation, the persistent storage for sequence numbersand/or generation numbers is provided by a third device or computersystem 1330 which hosts a sequence number module 1331 and a sequencenumber database 1332. In this implementation, the client-side telemetrymodule 1312 sends an update request to the sequence number module 1331when the stored sequence number or generation number needs to beupdated, and the sequence number module 1331 updates the sequence numberdatabase 1332 accordingly. When the client-side telemetry module powersup or recovers from a crash, the client-side telemetry module sends arequest to the sequence number module 1331 to retrieve the most recentvalue of the sequence number or generation number. When there are manydata producers 1311, the sequence number database 1332 may be organizedto store sequence numbers and/or generation numbers according to theidentity identifier of each data producer 1311.

In another implementation, the persistent storage for sequence numbersand/or generation numbers is implemented by a non-volatile memorycontained within the device or computer system 1310 itself.

The client-side telemetry module 1312 then uses a communications module1313 to communicate the telemetry data elements to a correspondingcommunications module 1323 residing on the computer system 1320 thathosts data receivers 1321 a and 1321 b.

The communications module 1323 receives the telemetry data elements andpasses the received telemetry data elements to a server-side telemetrymodule 1322.

The server-side telemetry module 1322 may perform checks on the incomingtelemetry data elements to verify that no elements are missing. Theserver-side telemetry module 1322 also may segregate received telemetrydata elements according to the identity of the data producer 1311. Theserver-side telemetry module 1322 also may segregate the receivedtelemetry data elements into several separate series of data elementsproduced by the data producer 1311. The server-side telemetry module1322 determines which of data receivers 1321 a and 1321 b is to receiveeach received telemetry data element. The determination of whether datareceiver 1321 a or 1321 b is to receive a given received data elementmay be made on the basis of the identity of the data producer, and/orthe series of data elements to which a received telemetry data elementbelongs.

The server-side telemetry module 1322 may use the information containedwithin a telemetry data element to route received data elements to theappropriate data receiver 1321. For example, the server-side telemetrymodule 1322 may use the identity identifier of the data producer 1311and/or the series identifier to determine which data receiver 1321 touse. When the data element identifiers have the adjacency property, theserver-side telemetry module may also use the data element identifier todetect and report to the data receiver 1321 any missing data in thereceived sequence of data elements. The server-side telemetry module mayalso use the data element identifier to detect and correct the presenceof duplicates in the received data elements (when the data elementidentifiers have the uniqueness property), or out-of-order data elements(when the data element identifiers have the monotonicity property).

The server-side telemetry module 1322 then passes the appropriate dataelements to the appropriate data receiver 1321 a or 1321 b.

The data receiver 1321 a or 1321 b may be one of several types. Forexample, a data receiver 1321 a may act to process each data element assoon as the date element is received, and may do so by performing someapplication-specific task.

As another example, a data receiver 1321 b may act to store receiveddata elements into a database or other type of data store 1324. Thedatabase 1324 may be, for example, a relational database, anobject-oriented database, a collection of files (such as extensiblemark-up language (XML) files), or another type of data collection.

When a data receiver 1321 b stores received data elements into arelational database, the data receiver 1321 b may store additionalinformation in the telemetry data element. For example, the datareceiver 1321 b may store the identity identifier of the data producer1311, the series identifier, and/or the data element identifier alongwith the data element. When the data element identifier has theuniqueness property, the data element identifier together with the dataproducer identity identifier and the series identifier may constitute aunique primary key for the data elements within the database.

When data elements and the identity identifier of the data producer 1311are stored in a database 1324, the identity identifier may be used toassociate additional information with the stored data elements. Forexample, an application reading data from the database 1324 may use thestored identity identifier to access additional information about theidentity of the data producer 1311. Additional information about theidentity of the data producer may be obtained, for example, from anidentity database such as the identity database 340 in FIG. 3, includingattributes, version, and other information.

In another example, when the identity identifier of the data producer1311 is a composite identity, an application that receives telemetrydata may be able to access information about the circumstances in whichthe data producer 1311 produced the data. For example, when the identityidentifier of the data producer 1311 is a composite identity associatedwith the identity identifier of a specific user and the identityidentifier of a specific device, and the data was produced through theactivities of the user when logged into the device, an application thatreceives the telemetry data may use the identity identifier of the dataproducer 1311 to determine the associated identities of the device andthe user. This may allow, for example, an application to analyze data onthe basis of the particular user and the particular device that producedthe data.

When the communications modules 1313 and 1323 are implemented asidentity-based communications layers, such as the ICL endpoint library305 of FIG. 3, the initiating ICL software 412 of FIG. 4, or theinitiating ICL software 612 of FIG. 6, the identity identifier of thedata producer 1311 may be the same identity identifier that is used inconjunction with ICL authentication and session establishment. When thatis the case, an application that receives telemetry data may benefitfrom the additional assurance that the identity identifier received withtelemetry data is authentic.

FIG. 14 illustrates an example data structure 1400 for a telemetry dataelement. The telemetry data element 1400 comprises a data produceridentity identifier 1410, a series identifier 1420, a data elementidentifier 1430, and a client data element 1440.

The data producer identity identifier 1410 identifies the data producerthat produced the telemetry data element. The series identifier 1420identifies the series of data elements to which the telemetry dataelement belongs.

The data element identifier 1430 uniquely identifies the data elementthrough the use of a generation number 1431 and a sequence number 1432.The generation number 1431 identifies the generation or period in whichthe device or computer system that produced the data was active. Thegeneration number 1431 may be an integer that is incremented by one eachtime the data producer 1311 powers up or recovers from a crash. Thesequence number 1432 identifies a particular data element within thegeneration represented by the generation number 1431. The sequencenumber 1432 may be an integer that is reset to zero each time the dataproducer 1311 powers up or recovers from a crash and that is incrementedby one each time a new data element is generated within a given dataseries.

The client data element 1440 comprises producer-defined data that isproduced by the data producer.

A number of implementations have been described. Nevertheless, it willbe understood that various modifications may be made. Accordingly, otherimplementations are within the scope of the following claims.

1. A method for communicating between two endpoints connected to anetwork, the method comprising having a first endpoint use a globaladdress of a second endpoint to communicate with the second endpoint,wherein: the global address specifies a protocol, a network identifier,and an address meaningful for the combination of the protocol and anetwork identified by the network identifier, an application sendsmessages directed to the second endpoint through an identity-basedcommunication layer that is situated between a network layer and anapplication layer, the messages being independent of the protocol, andthe identity-based communication layer transmits the messages to thesecond endpoint using the protocol, the network, and the addressspecified by the global address.
 2. The method of claim 1 furthercomprising determining the global address of the second endpoint byusing a unique identity identifier associated with the second endpoint.3. The method of claim 2 wherein the global address may be differenteach time a session is initiated with the second endpoint.
 4. The methodof claim 2 wherein: the unique identity identifier specifies a realm anda unique identifier that identifies the second endpoint within therealm, and the combination of the realm and the unique identifieruniquely identifies the identity.
 5. The method of claim 2 wherein theunique identity identifier comprises an identity identifier for acomposite identity, the composite identity being associated with two ormore other identity identifiers.
 6. The method of claim 5 wherein thecomposite identity is associated with an authentication credential. 7.The method of claim 5 further comprising creating the composite identityonly when each of the two or more other identity identifiers associatedwith the composite identity have been authenticated.
 8. The method ofclaim 5 wherein at least one of the two or more other identityidentifiers associated with the composite identity comprises an identityidentifier for another composite identity.
 9. The method of claim 2wherein determining the global address is accomplished through the useof a presence and availability service that provides the global addressin response to a received identity identifier.
 10. The method of claim 9further comprising having the second endpoint announce the globaladdress of the second endpoint through the use of the presence andavailability service.
 11. The method of claim 10 further comprising:determining whether the second endpoint is permitted to announce theglobal address; and only when the second endpoint is permitted toannounce the global address, having the second endpoint announce theglobal address through the use of the presence and availability service.12. The method of claim 11 wherein determining whether the secondendpoint is permitted to announce the global address is based on theidentity identifier of the second endpoint.
 13. The method of claim 11wherein determining whether the second endpoint is permitted to announcethe global address is performed by a policy service.
 14. The method ofclaim 10 wherein the global address the presence and availabilityservice provides in response to an identity identifier is the globaladdress most recently announced by the endpoint associated with thatidentity identifier.
 15. The method of claim 2 wherein determining theglobal address of the second endpoint occurs during an authenticationprocedure involving the first endpoint, the second endpoint and a thirdentity.
 16. The method of claim 15 further comprising: determiningwhether a communication session between the second endpoint and a firstendpoint is permitted; and completing the authentication procedure onlywhen the communication session is permitted.
 17. The method of claim 16wherein determining whether the communication session is permitted isbased on the identity identifier of at least one of the second endpointand the first endpoint.
 18. The method of claim 16 wherein determiningwhether the communication session is permitted is performed by a policyservice.
 19. The method of claim 1 further comprising encryptingmessages exchanged in the communication session between the firstendpoint and the second endpoint.
 20. The method of claim 19 farthercomprising having a policy service determine whether to encrypt messagesexchanged in the communication session between the first endpoint andthe second endpoint.
 21. The method of claim 19 wherein determiningwhether to encrypt messages occurs when the first endpoint initiates acommunication session with the second endpoint.
 22. The method of claim19 wherein determining whether to encrypt messages is based on theidentity identifier of at least one of the first endpoint and the secondendpoint.
 23. The method of claim 19 wherein determining whether toencrypt messages occurs during an authentication procedure involving thefirst endpoint, the second endpoint, and a third entity.
 24. The methodof claim 1 further comprising applying an integrity check to a messageexchanged in the communication session between the first endpoint andthe second endpoint.
 25. The method of claim 24 wherein the integritycheck employs a message authentication code.
 26. The method of claim 24further comprising having a policy service determine whether to applyintegrity checks to messages exchanged in the communication sessionbetween the first endpoint and the second endpoint.
 27. The method ofclaim 24 wherein determining whether to apply data integrity checksoccurs when the first endpoint initiates a communication session withthe second endpoint.
 28. The method of claim 27 wherein determiningwhether to apply data integrity checks is based on the identityidentifier of at least one of the first endpoint and the secondendpoint.
 29. The method of claim 27 wherein determining whether toapply data integrity checks occurs during an authentication procedureinvolving the first endpoint, the second endpoint, and a third entity.30. The method of claim 1 wherein: the first endpoint is connected to afirst network, the second endpoint is connected to a second network, anda relay is used to connect the first network and the second network. 31.The method of claim 1 wherein the protocol comprises a message-framingprotocol using the transmission control protocol.
 32. The method ofclaim 31 wherein the address meaningful for the combination of theprotocol and the network identified by the network identifier comprisesan Internet Protocol address and a transmission control protocol portnumber.
 33. The method of claim 31 wherein the address meaningful forthe combination of the protocol and the network identified by thenetwork identifier comprises an Internet Protocol domain name and atransmission control protocol port number.
 34. The method of claim 1wherein the protocol is the Hypertext Transfer Protocol.
 35. The methodof claim 34 wherein the address meaningful for the combination of theprotocol and the network identified by the network identifier comprisesa uniform resource locator.
 36. The method of claim 2 wherein theidentity identifier of the second endpoint is associated with more thanone global address, the method further comprising selecting a globaladdress for the second endpoint from the more than one global addressassociated with the identity identifier of the second endpoint to usefor communicating between the first endpoint and the second endpoint.37. A method for communicating between two endpoints connected to anetwork, the method comprising: having an application of a firstendpoint provide to a global-address-based communication layer (1) amessage destined for a second endpoint, and (2) a global address of thesecond endpoint, wherein the global address specifies a protocol, anetwork identifier, and an address meaningful for the combination of theprotocol and a network identified by the network identifier; having theglobal-address-based communication layer select an appropriatenetworking layer; having the global-address-based communication layerprovide to the selected networking layer (1) the message destined forthe second endpoint and (2) the address meaningful for the combinationof the protocol and network identified by the network identifier; andhaving the selected networking layer send the message to the secondendpoint.
 38. The method of claim 37 wherein the selected networkinglayer transmits the message using the protocol specified by the globaladdress of the second endpoint.
 39. The method of claim 37 furthercomprising: having the application provide to an identity-basedcommunication layer (1) a message destined for the second endpoint and(2) an identity identifier associated with the second endpoint; havingthe identity-based communication layer use a presence and availabilityservice to determine the global address of the second endpoint using theidentity identifier associated with the second endpoint; and having theidentity-based communication layer provide to the global-address-basedcommunications layer (1) the message destined for the second endpointand (2) the global address of the second endpoint.
 40. The method ofclaim 39 wherein using the presence and availability service todetermine the global address of the second endpoint comprises: sendingto the presence and availability service the identity identifierassociated with the second endpoint; and receiving from the presence andavailability service the global address associated with the secondendpoint.
 41. The method of claim 37 further comprising: having anetworking layer of the second endpoint receive the message andproviding the message to a global-address-based communication layer ofthe second endpoint; and having the global-address-based communicationlayer of the second endpoint provide the message to an application layerof the second endpoint.
 42. The method of claim 41 further whereinproviding the message to the application layer of the second endpointcomprises: having the global-address-based communication layer of thesecond endpoint provide the message to an identity-based communicationlayer of the second endpoint; and having the identity-basedcommunication layer of the second endpoint provide the message to theapplication layer of the second endpoint.
 43. A computer-readable mediumhaving embodied thereon a computer program configured to communicatebetween two endpoints connected to a network, the medium comprising oneor more code segments configured to: have a first endpoint use a globaladdress of a second endpoint to communicate with the second endpoint,have the global address specify a protocol, a network identifier, and anaddress meaningful for the combination of the protocol and a networkidentified by the network identifier, have an application send messagesdirected to the second endpoint through an identity-based communicationlayer that is situated between a network layer and an application layer,the messages being independent of the protocol, and have theidentity-based communication layer transmit the messages to the secondendpoint using the protocol, the network, and the address specified bythe global address.
 44. The medium of claim 43 wherein the one or morecode segments are further configured to determine the global address ofthe second endpoint by using a unique identity identifier associatedwith the second endpoint.
 45. The medium of claim 44 wherein the globaladdress may be different each time a session is initiated with thesecond endpoint.
 46. The medium of claim 44 wherein the identityidentifier comprises an identity identifier for a composite identity,the composite identity being associated with two or more other identityidentifiers.
 47. The medium of claim 43 wherein: the first endpoint isconnected to a first network, the second endpoint is connected to asecond network, and a relay is used to connect the first network and thesecond network.
 48. The medium of claim 44 wherein: the identityidentifier of the second endpoint is associated with more than oneglobal address, and the one or more code segments are further configuredto select a global address for the second endpoint from the more thanone global address associated with the identity identifier of the secondendpoint to use for communicating between the first endpoint and thesecond endpoint.
 49. A computer-readable medium having embodied thereona computer program configured to communicate between two endpointsconnected to a network, the medium comprising one or more code segmentsconfigured to: have an application of a first endpoint provide to aglobal-address-based communication layer (1) a message destined for asecond endpoint, and (2) a global address of the second endpoint,wherein the global address specifies a protocol, a network identifier,and an address meaningful for the combination of the protocol and anetwork identified by the network identifier; have theglobal-address-based communication layer select an appropriatenetworking layer; have the global-address-based communication layerprovide to the selected networking layer (1) the message destined forthe second endpoint and (2) the address meaningful for the combinationof the protocol and network identified by the network identifier; andhave the selected networking layer send the message to the secondendpoint.
 50. The medium of claim 49 wherein the selected networkinglayer transmits the message using the protocol specified by the globaladdress of the second endpoint.
 51. The medium of claim 49 wherein theone or more code segments are further configured to: have theapplication provide to an identity-based communication layer (1) amessage destined for the second endpoint and (2) an identity identifierassociated with the second endpoint; have the identity-basedcommunication layer use a presence and availability service to determinethe global address of the second endpoint using the identity identifierassociated with the second endpoint; and have the identity-basedcommunication layer provide to the global-address-based communicationslayer (1) the message destined for the second endpoint and (2) theglobal address of the second endpoint.
 52. A system for communicatingbetween two endpoints connected to a network, the system comprising aprocessor connected to a storage device and one or more input/outputdevices, wherein the processor is configured to: have a first endpointuse a global address of a second endpoint to communicate with the secondendpoint, have the global address specify a protocol, a networkidentifier, and an address meaningful for the combination of theprotocol and a network identified by the network identifier, have anapplication send messages directed to the second endpoint through anidentity-based communication layer that is situated between a networklayer and an application layer, the messages being independent of theprotocol, and have the identity-based communication layer transmit themessages to the second endpoint using the protocol, the network, and theaddress specified by the global address.
 53. The system of claim 52wherein the processor is further configured to determine the globaladdress of the second endpoint by using a unique identity identifierassociated with the second endpoint.
 54. The system of claim 53 whereinthe global address may be different each time a session is initiatedwith the second endpoint.
 55. The system of claim 53 wherein theidentity identifier comprises an identity identifier for a compositeidentity, the composite identity being associated with two or more otheridentity identifiers.
 56. The system of claim 52 wherein: the firstendpoint is connected to a first network, the second endpoint isconnected to a second network, and a relay is used to connect the firstnetwork and the second network.
 57. The system of claim 52 wherein: theidentity identifier of the second endpoint is associated with more thanone global address, and the processor is further configured to select aglobal address for the second endpoint from the more than one globaladdress associated with the identity identifier of the second endpointto use for communicating between the first endpoint and the secondendpoint.
 58. A system for communicating between two endpoints connectedto a network, the system comprising a processor connected to a storagedevice and one or more input/output devices, wherein the processor isconfigured to: have an application of a first endpoint provide to aglobal-address-based communication layer (1) a message destined for asecond endpoint, and (2) a global address of the second endpoint,wherein the global address specifies a protocol, a network identifier,and an address meaningful for the combination of the protocol and anetwork identified by the network identifier have theglobal-address-based communication layer select an appropriatenetworking layer; have the global-address-based communication layerprovide to the selected networking layer (1) the message destined forthe second endpoint and (2) the address meaningful for the combinationof the protocol and network identified by the network identifier; andhave the selected networking layer send the message to the secondendpoint.
 59. The system of claim 58 wherein the selected networkinglayer transmits the message using the protocol specified by the globaladdress of the second endpoint.
 60. The system of claim 58 wherein theprocessor is further configured to: have the application provide to anidentity-based communication layer (1) a message destined for the secondendpoint and (2) an identity identifier associated with the secondendpoint; have the identity-based communication layer use a presence andavailability service to determine the global address of the secondendpoint using the identity identifier associated with the secondendpoint; and have the identity-based communication layer provide to theglobal-address-based communications layer (1) the message destined forthe second endpoint and (2) the global address of the second endpoint.